activity_name attribute, which contains a data source specific value."
- },
- "0": {
- "caption": "Unknown",
- "description": "The event activity is unknown."
- }
- },
- "sibling": "activity_name",
- "type": "integer_t"
- },
- "activity_name": {
- "caption": "Activity",
- "description": "The event activity name, as defined by the activity_id.",
- "type": "string_t"
- },
"action": {
"caption": "Action",
"description": "The normalized caption of 'action_id' or the source specific action.",
@@ -79,11 +52,9 @@
"action_id": {
"caption": "Action ID",
"description": "The normalized action taken by a control or other policy-based system leading to an outcome or disposition.",
+ "sibling": "action",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The action was not mapped. See the action attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The action was unknown."
@@ -95,10 +66,34 @@
"2": {
"caption": "Denied",
"description": "The attempted activity was denied."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The action was not mapped. See the action attribute, which contains a data source specific value."
}
- },
+ }
+ },
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "suppress_checks": ["sibling_convention"],
+ "sibling": "activity_name",
"type": "integer_t",
- "sibling": "action"
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ }
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "type": "string_t"
},
"actor": {
"caption": "Actor",
@@ -113,14 +108,14 @@
"affected_code": {
"caption": "Affected Code",
"description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.",
- "is_array": true,
- "type": "affected_code"
+ "type": "affected_code",
+ "is_array": true
},
"affected_packages": {
"caption": "Affected Software Packages",
"description": "List of software packages identified as affected by a vulnerability/vulnerabilities.",
- "is_array": true,
- "type": "affected_package"
+ "type": "affected_package",
+ "is_array": true
},
"agent": {
"caption": "Agent",
@@ -130,8 +125,8 @@
"agent_list": {
"caption": "Agent List",
"description": "A list of agent objects associated with a device, endpoint, or resource.",
- "is_array": true,
- "type": "agent"
+ "type": "agent",
+ "is_array": true
},
"alert": {
"caption": "Client TLS Alert",
@@ -145,19 +140,19 @@
},
"algorithm_id": {
"caption": "Algorithm ID",
- "description": "The identifier of the normalized algorithm. See specific usage.",
+ "description": "The normalized identifier of the algorithm. See specific usage.",
+ "sibling": "algorithm",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The algorithm is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value."
}
- },
- "sibling": "algorithm",
- "type": "integer_t"
+ }
},
"analytic": {
"caption": "Analytic",
@@ -167,8 +162,8 @@
"answers": {
"caption": "DNS Answer",
"description": "The Domain Name System (DNS) answers.",
- "is_array": true,
- "type": "dns_answer"
+ "type": "dns_answer",
+ "is_array": true
},
"api": {
"caption": "API Details",
@@ -213,8 +208,8 @@
"attacks": {
"caption": "MITRE ATT&CK® Details",
"description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
- "is_array": true,
- "type": "attack"
+ "type": "attack",
+ "is_array": true
},
"attempt": {
"caption": "Attempt",
@@ -226,6 +221,12 @@
"description": "The bitmask value that represents the file attributes.",
"type": "integer_t"
},
+ "auth_factors": {
+ "caption": "Authentication Factors",
+ "description": "Describes a category of methods used for identity verification in an authentication attempt.",
+ "type": "auth_factor",
+ "is_array": true
+ },
"auth_protocol": {
"caption": "Auth Protocol",
"description": "The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.",
@@ -234,11 +235,9 @@
"auth_protocol_id": {
"caption": "Auth Protocol ID",
"description": "The normalized identifier of the authentication protocol used to create the user session.",
+ "sibling": "auth_protocol",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The authentication protocol is unknown."
@@ -246,9 +245,6 @@
"1": {
"caption": "NTLM"
},
- "10": {
- "caption": "RADIUS"
- },
"2": {
"caption": "Kerberos"
},
@@ -272,10 +268,15 @@
},
"9": {
"caption": "EAP"
+ },
+ "10": {
+ "caption": "RADIUS"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value."
}
- },
- "sibling": "auth_protocol",
- "type": "integer_t"
+ }
},
"auth_type": {
"caption": "Authentication Type",
@@ -285,24 +286,24 @@
"auth_type_id": {
"caption": "Authentication Type ID",
"description": "The normalized identifier of the agreed upon authentication type. See specific usage.",
+ "sibling": "auth_type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The authentication type is not mapped. See the auth_type attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The authentication type is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The authentication type is not mapped. See the auth_type attribute, which contains a data source specific value."
}
- },
- "sibling": "auth_type",
- "type": "integer_t"
+ }
},
"authorizations": {
"caption": "Authorization Information",
"description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
- "is_array": true,
- "type": "authorization"
+ "type": "authorization",
+ "is_array": true
},
"autonomous_system": {
"caption": "Autonomous System",
@@ -314,6 +315,11 @@
"description": "The unique identifier of the cloud autoscale configuration.",
"type": "string_t"
},
+ "avg_timespan": {
+ "caption": "Average Timespan",
+ "description": "The average time span of an activity.",
+ "type": "timespan"
+ },
"banner": {
"caption": "SMTP Banner",
"description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
@@ -344,6 +350,11 @@
"description": "The BIOS version. For example: LENOVO G5ETA2WW (2.62).",
"type": "string_t"
},
+ "boot_time": {
+ "caption": "Boot Time",
+ "description": "The time when the system was booted.",
+ "type": "timestamp_t"
+ },
"boundary": {
"caption": "Boundary",
"description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
", @@ -352,11 +363,9 @@ "boundary_id": { "caption": "Boundary ID", "description": "The normalized identifier of the boundary of the connection.
For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
", + "sibling": "boundary", + "type": "integer_t", "enum": { - "99": { - "caption": "Other", - "description": "The boundary is not mapped. See theboundary attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The connection boundary is unknown."
@@ -365,14 +374,6 @@
"caption": "Localhost",
"description": "Local network traffic on the same endpoint."
},
- "10": {
- "caption": "Gateway VPC",
- "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
- },
- "11": {
- "caption": "Internet Gateway",
- "description": "Through an Internet gateway (Nitro-based instances only)"
- },
"2": {
"caption": "Internal",
"description": "Internal network traffic between two endpoints inside network."
@@ -404,10 +405,20 @@
"9": {
"caption": "Local Gateway",
"description": "Through a local gateway"
+ },
+ "10": {
+ "caption": "Gateway VPC",
+ "description": "Through a gateway VPC endpoint (Nitro-based instances only)"
+ },
+ "11": {
+ "caption": "Internet Gateway",
+ "description": "Through an Internet gateway (Nitro-based instances only)"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The boundary is not mapped. See the boundary attribute, which contains a data source specific value."
}
- },
- "sibling": "boundary",
- "type": "integer_t"
+ }
},
"build": {
"caption": "OS Build",
@@ -437,8 +448,8 @@
"capabilities": {
"caption": "Capabilities",
"description": "A list of RDP capabilities.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"caption": {
"caption": "Caption",
@@ -448,8 +459,8 @@
"categories": {
"caption": "Website Categorization",
"description": "The Website categorization names, as defined by category_ids enum values.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"category": {
"caption": "Category",
@@ -465,11 +476,9 @@
"category_ids": {
"caption": "Website Categorization IDs",
"description": "The Website categorization identifiers.",
+ "sibling": "categories",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The Domain/URL category is unknown."
@@ -477,51 +486,27 @@
"1": {
"caption": "Adult/Mature Content"
},
- "101": {
- "caption": "Spam"
- },
- "102": {
- "caption": "Potentially Unwanted Software"
+ "3": {
+ "caption": "Pornography"
},
- "103": {
- "caption": "Dynamic DNS Host"
+ "4": {
+ "caption": "Sex Education"
},
- "106": {
- "caption": "E-Card/Invitations"
+ "5": {
+ "caption": "Intimate Apparel/Swimsuit"
},
- "107": {
- "caption": "Informational"
+ "6": {
+ "caption": "Nudity"
},
- "108": {
- "caption": "Computer/Information Security"
+ "7": {
+ "caption": "Extreme"
},
- "109": {
- "caption": "Internet Connected Devices"
+ "9": {
+ "caption": "Scam/Questionable/Illegal"
},
"11": {
"caption": "Gambling"
},
- "110": {
- "caption": "Internet Telephony"
- },
- "111": {
- "caption": "Online Meetings"
- },
- "112": {
- "caption": "Media Sharing"
- },
- "113": {
- "caption": "Radio/Audio Streams"
- },
- "114": {
- "caption": "TV/Video Streams"
- },
- "118": {
- "caption": "Piracy/Copyright Concerns"
- },
- "121": {
- "caption": "Marijuana"
- },
"14": {
"caption": "Violence/Hate/Racism"
},
@@ -564,9 +549,6 @@
"29": {
"caption": "Charitable Organizations"
},
- "3": {
- "caption": "Pornography"
- },
"30": {
"caption": "Art/Culture"
},
@@ -594,9 +576,6 @@
"38": {
"caption": "Technology/Internet"
},
- "4": {
- "caption": "Sex Education"
- },
"40": {
"caption": "Search Engines/Portals"
},
@@ -618,9 +597,6 @@
"49": {
"caption": "Reference"
},
- "5": {
- "caption": "Intimate Apparel/Swimsuit"
- },
"50": {
"caption": "Mixed Content/Potentially Adult"
},
@@ -651,9 +627,6 @@
"59": {
"caption": "Auctions"
},
- "6": {
- "caption": "Nudity"
- },
"60": {
"caption": "Real Estate"
},
@@ -678,9 +651,6 @@
"68": {
"caption": "Humor/Jokes"
},
- "7": {
- "caption": "Extreme"
- },
"71": {
"caption": "Software Downloads"
},
@@ -705,9 +675,6 @@
"89": {
"caption": "Web Hosting"
},
- "9": {
- "caption": "Scam/Questionable/Illegal"
- },
"90": {
"caption": "Uncategorized"
},
@@ -728,11 +695,55 @@
},
"98": {
"caption": "Placeholders"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value."
+ },
+ "101": {
+ "caption": "Spam"
+ },
+ "102": {
+ "caption": "Potentially Unwanted Software"
+ },
+ "103": {
+ "caption": "Dynamic DNS Host"
+ },
+ "106": {
+ "caption": "E-Card/Invitations"
+ },
+ "107": {
+ "caption": "Informational"
+ },
+ "108": {
+ "caption": "Computer/Information Security"
+ },
+ "109": {
+ "caption": "Internet Connected Devices"
+ },
+ "110": {
+ "caption": "Internet Telephony"
+ },
+ "111": {
+ "caption": "Online Meetings"
+ },
+ "112": {
+ "caption": "Media Sharing"
+ },
+ "113": {
+ "caption": "Radio/Audio Streams"
+ },
+ "114": {
+ "caption": "TV/Video Streams"
+ },
+ "118": {
+ "caption": "Piracy/Copyright Concerns"
+ },
+ "121": {
+ "caption": "Marijuana"
}
},
- "is_array": true,
- "sibling": "categories",
- "type": "integer_t"
+ "is_array": true
},
"category_name": {
"caption": "Category",
@@ -748,8 +759,8 @@
"cc": {
"caption": "Cc",
"description": "The email header Cc values, as defined by RFC 5322.",
- "is_array": true,
- "type": "email_t"
+ "type": "email_t",
+ "is_array": true
},
"certificate": {
"caption": "Certificate",
@@ -759,8 +770,8 @@
"certificate_chain": {
"caption": "Certificate Chain",
"description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"chassis": {
"caption": "Chassis",
@@ -787,27 +798,27 @@
"description": "The negotiated cipher suite.",
"type": "string_t"
},
- "cis_benchmark_result": {
- "caption": "CIS Benchmark Result",
- "description": "The CIS benchmark result.",
- "type": "cis_benchmark_result"
- },
"cis_benchmark": {
"caption": "CIS Benchmark",
"description": "The CIS Benchmark describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security (CIS).",
"type": "cis_benchmark"
},
- "cis_csc": {
- "caption": "CIS CSC",
- "description": "The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.",
- "is_array": true,
- "type": "cis_csc"
+ "cis_benchmark_result": {
+ "caption": "CIS Benchmark Result",
+ "description": "The CIS benchmark result.",
+ "type": "cis_benchmark_result"
},
"cis_controls": {
"caption": "CIS Controls",
"description": "The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.",
- "is_array": true,
- "type": "cis_control"
+ "type": "cis_control",
+ "is_array": true
+ },
+ "cis_csc": {
+ "caption": "CIS CSC",
+ "description": "The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.",
+ "type": "cis_csc",
+ "is_array": true
},
"city": {
"caption": "City",
@@ -830,36 +841,45 @@
"sibling": "class_name",
"type": "integer_t"
},
- "classification_ids": {
- "caption": "Classification IDs",
- "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ",
- "enum": {},
- "is_array": true,
- "sibling": "classifications",
- "type": "integer_t"
- },
"classification": {
"caption": "Classification",
"description": "The classification as defined by the vendor.",
"type": "string_t"
},
+ "classification_ids": {
+ "caption": "Classification IDs",
+ "description": "The list of normalized classification identifiers. See specific usage.",
+ "sibling": "classifications",
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The classification is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The classification is not mapped. See the classifications attribute, which contains a data source specific value."
+ }
+ },
+ "is_array": true
+ },
"classifications": {
"caption": "Classifications",
"description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"client_ciphers": {
"caption": "Client Cipher Suites",
"description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"client_dialects": {
"caption": "Client Dialects",
"description": "The list of SMB dialects that the client speaks.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"client_hassh": {
"caption": "Client HASSH",
@@ -877,8 +897,8 @@
"type": "string_t"
},
"cmd_line": {
- "caption": "Command Line",
"observable": 13,
+ "caption": "Command Line",
"description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.",
"type": "string_t"
},
@@ -890,8 +910,8 @@
"codes": {
"caption": "Response Codes",
"description": "The list of numeric responses sent to a request.",
- "is_array": true,
- "type": "integer_t"
+ "type": "integer_t",
+ "is_array": true
},
"color_depth": {
"caption": "Color Depth",
@@ -911,8 +931,8 @@
"command_responses": {
"caption": "Command Responses",
"description": "The responses to the command.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"command_uid": {
"caption": "Command UID",
@@ -934,9 +954,26 @@
"description": "The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.",
"type": "compliance"
},
+ "compliance_references": {
+ "caption": "Complaince References Articles",
+ "description": "A list of sources of information or tools that help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.",
+ "type": "kb_article",
+ "is_array": true
+ },
+ "compliance_standards": {
+ "caption": "Compliance Standards Articles",
+ "description": "A list of established guidelines or criteria that define specific requirements an organization must follow.",
+ "type": "kb_article",
+ "is_array": true
+ },
"component": {
"caption": "Component",
- "description": "The name or relative pathname of a sub-component of the data object, if applicable.
For example:attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.",
+ "description": "The component of a data object. See specific usage.",
+ "type": "string_t"
+ },
+ "condition": {
+ "caption": "Condition",
+ "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.",
"type": "string_t"
},
"confidence": {
@@ -947,6 +984,7 @@
"confidence_id": {
"caption": "Confidence Id",
"description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -965,8 +1003,7 @@
"caption": "Other",
"description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value."
}
- },
- "type": "integer_t"
+ }
},
"confidence_score": {
"caption": "Confidence Score",
@@ -981,11 +1018,9 @@
"confidentiality_id": {
"caption": "Confidentiality ID",
"description": "The normalized identifier of the file content confidentiality indicator.",
+ "sibling": "confidentiality",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The confidentiality is unknown."
@@ -1007,10 +1042,12 @@
},
"6": {
"caption": "Restricted"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value."
}
- },
- "sibling": "confidentiality",
- "type": "integer_t"
+ }
},
"connection_info": {
"caption": "Connection Info",
@@ -1030,8 +1067,8 @@
"containers": {
"caption": "Containers",
"description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.",
- "is_array": true,
- "type": "container"
+ "type": "container",
+ "is_array": true
},
"content_type": {
"caption": "HTTP Content Type",
@@ -1049,14 +1086,14 @@
"type": "string_t"
},
"coordinates": {
+ "caption": "Coordinates",
+ "description": "A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719].",
+ "type": "float_t",
"@deprecated": {
"message": "Use specific lat, long attributes instead.",
"since": "1.2.0"
},
- "caption": "Coordinates",
- "description": "A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719].",
- "is_array": true,
- "type": "float_t"
+ "is_array": true
},
"correlation_uid": {
"caption": "Correlation UID",
@@ -1073,9 +1110,15 @@
"description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
"type": "integer_t"
},
+ "countermeasures": {
+ "caption": "Countermeasures",
+ "description": "The MITRE DEFEND™ Matrix Countermeasures associated with a remediation.",
+ "type": "d3fend",
+ "is_array": true
+ },
"country": {
- "caption": "Country",
"observable": 14,
+ "caption": "Country",
"description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized. For example: US or CA.
tenant_uid attribute instead.",
"since": "1.1.0"
- },
- "caption": "Customer UID",
- "description": "The unique customer identifier.",
- "type": "string_t"
+ }
},
"cve": {
"caption": "CVE",
@@ -1151,14 +1195,14 @@
"cves": {
"caption": "CVE List",
"description": "List of Common Vulnerabilities and Exposures (CVE).",
- "is_array": true,
- "type": "cve"
+ "type": "cve",
+ "is_array": true
},
"cvss": {
"caption": "CVSS Score",
"description": "The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.",
- "is_array": true,
- "type": "cvss"
+ "type": "cvss",
+ "is_array": true
},
"cwe": {
"caption": "CWE",
@@ -1166,38 +1210,38 @@
"type": "cwe"
},
"cwe_uid": {
+ "caption": "CWE UID",
+ "description": "The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.",
+ "type": "string_t",
"@deprecated": {
"message": "Use the cwe object attributes instead.",
"since": "1.1.0"
- },
- "caption": "CWE UID",
- "description": "The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.",
- "type": "string_t"
+ }
},
"cwe_url": {
+ "caption": "CWE URL",
+ "description": "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.",
+ "type": "url_t",
"@deprecated": {
"message": "Use the cwe object attributes instead.",
"since": "1.1.0"
- },
- "caption": "CWE URL",
- "description": "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.",
- "type": "url_t"
+ }
+ },
+ "d3f_tactic": {
+ "caption": "MITRE DEFEND™ Tactic",
+ "description": "The D3FEND Tactic object describes the defensive tactic name associated with a countermeasure, as defined by D3FENDTM Matrix.",
+ "type": "d3f_tactic"
+ },
+ "d3f_technique": {
+ "caption": "MITRE DEFEND™ Technique",
+ "description": "The D3FEND Technique object describes the defensive technique ID and/or name associated with a countermeasure, as defined by D3FENDTM Matrix.",
+ "type": "d3f_technique"
},
"data": {
"caption": "Data",
"description": "The additional data that is associated with the event or object. See specific usage.",
"type": "json_t"
},
- "database": {
- "caption": "Database",
- "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
- "type": "database"
- },
- "databucket": {
- "caption": "Databucket",
- "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
- "type": "databucket"
- },
"data_classification": {
"caption": "Data Classification",
"description": "The Data Classification object includes information about data classification levels and data category types.",
@@ -1211,10 +1255,12 @@
"data_lifecycle_state_id": {
"caption": "Data Lifecycle State ID",
"description": "The stage or state that the data was in when it was assessed or scanned by a data security tool.",
+ "sibling": "data_lifecycle_state",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
- "description": "The type is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value."
+ "description": "The data lifecycle state is unknown."
},
"1": {
"caption": "Data at-Rest",
@@ -1227,22 +1273,34 @@
"3": {
"caption": "Data in-Use",
"description": "The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF."
- }
- },
- "sibling": "data_lifecycle_state",
- "type": "integer_t"
- },
- "data_sources": {
- "caption": "Data Sources",
- "description": "A list of data sources utilized in generation of the finding.",
- "is_array": true,
- "type": "string_t"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The data lifecycle state is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value."
+ }
+ }
},
"data_security": {
"caption": "Data Security",
"description": "The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).",
"type": "data_security"
},
+ "data_sources": {
+ "caption": "Data Sources",
+ "description": "A list of data sources utilized in generation of the finding.",
+ "type": "string_t",
+ "is_array": true
+ },
+ "database": {
+ "caption": "Database",
+ "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
+ "type": "database"
+ },
+ "databucket": {
+ "caption": "Databucket",
+ "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
+ "type": "databucket"
+ },
"dce_rpc": {
"caption": "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)",
"description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.",
@@ -1271,6 +1329,7 @@
"depth": {
"caption": "CVSS Depth",
"description": "The CVSS depth represents a depth of the equation used to calculate CVSS score.",
+ "type": "string_t",
"enum": {
"Base": {
"caption": "Base"
@@ -1281,8 +1340,7 @@
"Temporal": {
"caption": "Temporal"
}
- },
- "type": "string_t"
+ }
},
"desc": {
"caption": "Description",
@@ -1312,6 +1370,8 @@
"detection_system_id": {
"caption": "Detection System ID",
"description": "The type of data security tool or system that the finding, detection, or alert originated from.",
+ "sibling": "detection_system",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -1369,9 +1429,7 @@
"caption": "Other",
"description": "Any other type of detection system or a multi-variate system made up of several other systems."
}
- },
- "sibling": "detection_system",
- "type": "integer_t"
+ }
},
"detection_uid": {
"caption": "Detection UID",
@@ -1391,8 +1449,8 @@
"devices": {
"caption": "Devices",
"description": "The object describes details related to the list of devices.",
- "is_array": true,
- "type": "device"
+ "type": "device",
+ "is_array": true
},
"dialect": {
"caption": "Dialect",
@@ -1412,30 +1470,30 @@
"direction_id": {
"caption": "Direction ID",
"description": "The normalized identifier of the direction of the initiated connection, traffic, or email.",
+ "sibling": "direction",
+ "type": "integer_t",
"enum": {
"0": {
- "description": "The connection direction is unknown.",
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The connection direction is unknown."
},
"1": {
- "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network.",
- "caption": "Inbound"
+ "caption": "Inbound",
+ "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network."
},
"2": {
- "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network.",
- "caption": "Outbound"
+ "caption": "Outbound",
+ "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network."
},
"3": {
- "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network.",
- "caption": "Lateral"
+ "caption": "Lateral",
+ "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network."
},
"99": {
"caption": "Other",
"description": "The direction is not mapped. See the direction attribute, which contains a data source specific value."
}
- },
- "sibling": "direction",
- "type": "integer_t"
+ }
},
"dispersion": {
"caption": "Root Dispersion",
@@ -1450,18 +1508,126 @@
"disposition_id": {
"caption": "Disposition ID",
"description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
+ "sibling": "disposition",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The disposition is unknown."
+ },
+ "1": {
+ "caption": "Allowed",
+ "description": "Granted access or allowed the action to the protected resource."
+ },
+ "2": {
+ "caption": "Blocked",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "3": {
+ "caption": "Quarantined",
+ "description": "A suspicious file or other content was moved to a benign location."
+ },
+ "4": {
+ "caption": "Isolated",
+ "description": "A session was isolated on the network or within a browser."
+ },
+ "5": {
+ "caption": "Deleted",
+ "description": "A file or other content was deleted."
+ },
+ "6": {
+ "caption": "Dropped",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
+ },
+ "7": {
+ "caption": "Custom Action",
+ "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
+ },
+ "8": {
+ "caption": "Approved",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
+ },
+ "10": {
+ "caption": "Exonerated",
+ "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
+ },
+ "11": {
+ "caption": "Corrected",
+ "description": "A corrupt file or configuration was corrected."
+ },
+ "12": {
+ "caption": "Partially Corrected",
+ "description": "A corrupt file or configuration was partially corrected."
+ },
+ "13": {
+ "caption": "Uncorrected",
+ "description": "A corrupt file or configuration was not corrected."
+ },
+ "14": {
+ "caption": "Delayed",
+ "description": "An operation was delayed, for example if a restart was required to finish the operation."
+ },
+ "15": {
+ "caption": "Detected",
+ "description": "Suspicious activity or a policy violation was detected without further action."
+ },
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value."
}
- },
- "sibling": "disposition",
- "type": "integer_t"
+ }
},
"dkim": {
"caption": "DKIM Status",
@@ -1493,11 +1659,51 @@
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
"type": "string_t"
},
+ "dnssec_status_id": {
+ "caption": "DNSSEC Status ID",
+ "description": "Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The disposition is unknown."
+ },
+ "1": {
+ "caption": "Signed",
+ "description": "The related domain enables the signing of DNS records using DNSSEC."
+ },
+ "2": {
+ "caption": "Unsigned",
+ "description": "The related domain does not enable the signing of DNS records using DNSSEC."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The DNSSEC status is not mapped. See the dnssec_status attribute, which contains a data source specific value."
+ }
+ },
+ "sibling": "dnssec_status",
+ "type": "integer_t"
+ },
+ "dnssec_status": {
+ "caption": "DNSSEC Status",
+ "description": "The normalized value of dnssec_status_id.",
+ "type": "string_t"
+ },
"domain": {
"caption": "Domain",
"description": "The name of the domain.",
"type": "string_t"
},
+ "domain_contact": {
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "type": "domain_contact"
+ },
+ "domain_contacts": {
+ "caption": "Domain Contacts",
+ "description": "An array of Domain Contact objects.",
+ "is_array": true,
+ "type": "domain_contact"
+ },
"driver": {
"caption": "Kernel Driver",
"description": "The driver that was loaded/unloaded into the kernel",
@@ -1509,8 +1715,43 @@
"type": "network_endpoint"
},
"duration": {
- "caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "caption": "Duration Milliseconds",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
+ "type": "long_t"
+ },
+ "duration_days": {
+ "caption": "Duration Days",
+ "description": "Represents the duration of the activity in days. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_hours": {
+ "caption": "Duration Hours",
+ "description": "Represents the duration of the activity in hours. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_mins": {
+ "caption": "Duration Minutes",
+ "description": "Represents the duration of the activity in minutes. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_months": {
+ "caption": "Duration Months",
+ "description": "Represents the duration of the activity in months. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_secs": {
+ "caption": "Duration Seconds",
+ "description": "Represents the duration of the activity in seconds. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_weeks": {
+ "caption": "Duration Weeks",
+ "description": "Represents the duration of the activity in weeks. See specific usage.",
+ "type": "integer_t"
+ },
+ "duration_years": {
+ "caption": "Duration Years",
+ "description": "Represents the duration of the activity in years. See specific usage.",
"type": "integer_t"
},
"edition": {
@@ -1531,8 +1772,8 @@
"email_addrs": {
"caption": "Email Addresses",
"description": "A list of additional email addresses for the user.",
- "is_array": true,
- "type": "email_t"
+ "type": "email_t",
+ "is_array": true
},
"email_auth": {
"caption": "Email Authentication",
@@ -1562,14 +1803,14 @@
"endpoint_connections": {
"caption": "Endpoint Connections",
"description": "Contains information about network connection attempts. See specific usage.",
- "is_array": true,
- "type": "endpoint_connection"
+ "type": "endpoint_connection",
+ "is_array": true
},
"enrichments": {
"caption": "Enrichments",
"description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
- "is_array": true,
- "type": "enrichment"
+ "type": "enrichment",
+ "is_array": true
},
"entity": {
"caption": "Entity",
@@ -1607,19 +1848,19 @@
"type": "string_t"
},
"evidence": {
+ "caption": "Evidence",
+ "description": "The data the finding exposes to the analyst.",
+ "type": "json_t",
"@deprecated": {
"message": "Use the evidences attribute instead.",
"since": "1.1.0"
- },
- "caption": "Evidence",
- "description": "The data the finding exposes to the analyst.",
- "type": "json_t"
+ }
},
"evidences": {
"caption": "Evidence Artifacts",
"description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
- "is_array": true,
- "type": "evidences"
+ "type": "evidences",
+ "is_array": true
},
"exit_code": {
"caption": "Exit Code",
@@ -1636,30 +1877,35 @@
"description": "The expiration time. See specific usage.",
"type": "timestamp_t"
},
+ "ext": {
+ "caption": "Extension",
+ "description": "The extension. See specific usage.",
+ "type": "string_t"
+ },
"extension": {
+ "caption": "Schema Extension",
+ "description": "The schema extension used to create the event.",
+ "type": "extension",
"@deprecated": {
"message": "Use the extensions attribute instead.",
"since": "1.1.0"
- },
- "caption": "Schema Extension",
- "description": "The schema extension used to create the event.",
- "type": "extension"
- },
- "extensions": {
- "caption": "Schema Extensions",
- "description": "The schema extensions used to create the event.",
- "is_array": true,
- "type": "extension"
+ }
},
"extension_list": {
+ "caption": "Extension List",
+ "description": "The list of TLS extensions.",
+ "type": "tls_extension",
"@deprecated": {
"message": "Use the tls_extension_list attribute instead.",
"since": "1.1.0"
},
- "caption": "Extension List",
- "description": "The list of TLS extensions.",
- "is_array": true,
- "type": "tls_extension"
+ "is_array": true
+ },
+ "extensions": {
+ "caption": "Schema Extensions",
+ "description": "The schema extensions used to create the event.",
+ "type": "extension",
+ "is_array": true
},
"factor_type": {
"caption": "Factor Type",
@@ -1669,6 +1915,8 @@
"factor_type_id": {
"caption": "Factor Type ID",
"description": "The normalized identifier for the authentication factor.",
+ "sibling": "factor_type",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown"
@@ -1720,9 +1968,7 @@
"99": {
"caption": "Other"
}
- },
- "sibling": "factor_type",
- "type": "integer_t"
+ }
},
"feature": {
"caption": "Feature",
@@ -1757,8 +2003,8 @@
"finding_info_list": {
"caption": "Finding Information List",
"description": "A list of finding_info objects associated to an incident.",
- "is_array": true,
- "type": "finding_info"
+ "type": "finding_info",
+ "is_array": true
},
"fingerprint": {
"caption": "Fingerprint",
@@ -1768,8 +2014,8 @@
"fingerprints": {
"caption": "Fingerprints",
"description": "An array of digital fingerprint objects.",
- "is_array": true,
- "type": "fingerprint"
+ "type": "fingerprint",
+ "is_array": true
},
"firewall_rule": {
"caption": "Firewall Rule",
@@ -1781,33 +2027,42 @@
"description": "The initial detection time of the activity or object. See specific usage",
"type": "timestamp_t"
},
- "fixed_in_version": {
- "caption": "Fixed In Version",
- "description": "The software package version in which a reported vulnerability was patched/fixed.",
- "type": "string_t"
- },
"fix_available": {
+ "caption": "Fix Availability",
+ "description": "Indicates if a fix is available for the reported vulnerability.",
+ "type": "boolean_t",
"@deprecated": {
"message": "Use the is_fix_available attribute instead.",
"since": "1.1.0"
- },
- "caption": "Fix Availability",
- "description": "Indicates if a fix is available for the reported vulnerability.",
- "type": "boolean_t"
+ }
+ },
+ "fixed_in_version": {
+ "caption": "Fixed In Version",
+ "description": "The software package version in which a reported vulnerability was patched/fixed.",
+ "type": "string_t"
},
"flag_ids": {
"caption": "Communication Flag IDs",
- "description": "The list of normalized identifiers of the communication flag IDs.",
- "enum": {},
- "is_array": true,
+ "description": "The list of normalized identifiers of the communication flag IDs. See specific usage.",
"sibling": "flags",
- "type": "integer_t"
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The flag is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The flag is not mapped. See the flags attribute, which contains a data source specific value."
+ }
+ },
+ "is_array": true
},
"flags": {
"caption": "Flags",
"description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"folder": {
"caption": "Folder",
@@ -1850,25 +2105,30 @@
"type": "group"
},
"group_name": {
+ "caption": "Group Name",
+ "description": "The name of the group that the resource belongs to.",
+ "type": "string_t",
"@deprecated": {
"message": "Use the group.name attribute instead.",
"since": "1.1.0"
- },
- "caption": "Group Name",
- "description": "The name of the group that the resource belongs to.",
- "type": "string_t"
+ }
},
"groups": {
"caption": "Groups",
"description": "The groups to which an entity belongs. See specific usage.",
- "is_array": true,
- "type": "group"
+ "type": "group",
+ "is_array": true
},
"handshake_dur": {
"caption": "Handshake Duration",
"description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
"type": "integer_t"
},
+ "has_mfa": {
+ "caption": "MFA Assigned",
+ "description": "The user has a multi-factor or secondary-factor device assigned.",
+ "type": "boolean_t"
+ },
"hash": {
"caption": "Hash",
"description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.",
@@ -1877,8 +2137,8 @@
"hashes": {
"caption": "Hashes",
"description": "An array of hash attributes.",
- "is_array": true,
- "type": "fingerprint"
+ "type": "fingerprint",
+ "is_array": true
},
"hire_time": {
"caption": "Hire Time",
@@ -1893,14 +2153,14 @@
"http_cookies": {
"caption": "HTTP Cookies",
"description": "The cookies object describes details about HTTP cookies",
- "is_array": true,
- "type": "http_cookie"
+ "type": "http_cookie",
+ "is_array": true
},
"http_headers": {
"caption": "HTTP Headers",
"description": "Additional HTTP headers of an HTTP request or response.",
- "is_array": true,
- "type": "http_header"
+ "type": "http_header",
+ "is_array": true
},
"http_method": {
"caption": "HTTP Method",
@@ -1908,13 +2168,13 @@
"type": "string_t"
},
"http_only": {
+ "caption": "HTTP Only",
+ "description": "A cookie attribute to make it inaccessible via JavaScript",
+ "type": "boolean_t",
"@deprecated": {
"message": "Use the is_http_only attribute instead.",
"since": "1.1.0"
- },
- "caption": "HTTP Only",
- "description": "A cookie attribute to make it inaccessible via JavaScript",
- "type": "boolean_t"
+ }
},
"http_request": {
"caption": "HTTP Request",
@@ -1927,13 +2187,13 @@
"type": "http_response"
},
"http_status": {
+ "caption": "HTTP Status",
+ "description": "The Hypertext Transfer Protocol (HTTP) status code returned to the client.",
+ "type": "integer_t",
"@deprecated": {
"message": "Use the http_response.code attribute instead.",
"since": "1.1.0"
- },
- "caption": "HTTP Status",
- "description": "The Hypertext Transfer Protocol (HTTP) status code returned to the client.",
- "type": "integer_t"
+ }
},
"hw_info": {
"caption": "Hardware Info",
@@ -1978,6 +2238,8 @@
"impact_id": {
"caption": "Impact ID",
"description": "The normalized impact of the finding.",
+ "sibling": "impact",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -1999,9 +2261,7 @@
"caption": "Other",
"description": "The impact is not mapped. See the impact attribute, which contains a data source specific value."
}
- },
- "sibling": "impact",
- "type": "integer_t"
+ }
},
"impact_score": {
"caption": "Impact",
@@ -2016,11 +2276,9 @@
"injection_type_id": {
"caption": "Injection Type ID",
"description": "The normalized identifier of the process injection method.",
+ "sibling": "injection_type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The injection type is not mapped. See the injection_type attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The injection type is unknown."
@@ -2030,10 +2288,48 @@
},
"2": {
"caption": "Load Library"
+ },
+ "3": {
+ "caption": "Queue APC"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The injection type is not mapped. See the injection_type attribute, which contains a data source specific value."
}
- },
- "sibling": "injection_type",
- "type": "integer_t"
+ }
+ },
+ "install_state": {
+ "caption": "Install State",
+ "description": "The install state, normalized to the caption of install_state_id. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "install_state_id": {
+ "caption": "Install State ID",
+ "description": "The normalized state of the install.",
+ "sibling": "install_state",
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The normalized install state is unknown."
+ },
+ "1": {
+ "caption": "Installed",
+ "description": "The item is installed."
+ },
+ "2": {
+ "caption": "Not Installed",
+ "description": "The item is not installed."
+ },
+ "3": {
+ "caption": "Installed Pending Reboot",
+ "description": "The item is installed pending reboot operation."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The install state is not mapped. See the install_state attribute, which contains a data source specific value."
+ }
+ }
},
"instance_uid": {
"caption": "Instance ID",
@@ -2042,15 +2338,42 @@
},
"integrity": {
"caption": "Integrity",
- "description": "The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).",
+ "description": "The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).",
"type": "string_t"
},
"integrity_id": {
"caption": "Integrity Level",
"description": "The normalized identifier of the process integrity level (Windows only).",
"sibling": "integrity",
- "enum": {},
- "type": "integer_t"
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The integrity level is unknown."
+ },
+ "1": {
+ "caption": "Untrusted"
+ },
+ "2": {
+ "caption": "Low"
+ },
+ "3": {
+ "caption": "Medium"
+ },
+ "4": {
+ "caption": "High"
+ },
+ "5": {
+ "caption": "System"
+ },
+ "6": {
+ "caption": "Protected"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The integrity level is not mapped. See the integrity attribute, which contains a data source specific value."
+ }
+ }
},
"interface_name": {
"caption": "Network Interface Name",
@@ -2065,8 +2388,8 @@
"intermediate_ips": {
"caption": "Intermediate IP Addresses",
"description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.",
- "is_array": true,
- "type": "ip_t"
+ "type": "ip_t",
+ "is_array": true
},
"invoked_by": {
"caption": "Invoked by",
@@ -2158,26 +2481,36 @@
"description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
"type": "boolean_t"
},
+ "is_self_signed": {
+ "caption": "Certificate Self-Signed",
+ "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
+ "type": "boolean_t"
+ },
"is_superseded": {
"caption": "The patch is superseded.",
"description": "The vendor patch has been replaced by another.",
"type": "boolean_t"
},
+ "is_suspected_breach": {
+ "caption": "Suspected Breach",
+ "description": "A determination based on analytics as to whether a potential breach was found.",
+ "type": "boolean_t"
+ },
"is_system": {
"caption": "System",
"description": "The indication of whether the object is part of the operating system.",
"type": "boolean_t"
},
- "is_trusted": {
- "caption": "Trusted Device",
- "description": "The event occurred on a trusted device.",
- "type": "boolean_t"
- },
"is_totp": {
"caption": "Time-based One-time Password (TOTP)",
"description": "Whether the authentication factor is a Time-based One-time Password (TOTP).",
"type": "boolean_t"
},
+ "is_trusted": {
+ "caption": "Trusted Device",
+ "description": "The event occurred on a trusted device.",
+ "type": "boolean_t"
+ },
"is_vpn": {
"caption": "VPN Session",
"description": "The indication of whether the session is a VPN session.",
@@ -2203,6 +2536,12 @@
"description": "The MD5 hash of a JA3S string.",
"type": "fingerprint"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "type": "ja4_fingerprint",
+ "is_array": true
+ },
"job": {
"caption": "Job",
"description": "The job object that pertains to the event.",
@@ -2213,21 +2552,21 @@
"description": "The user's job title.",
"type": "string_t"
},
+ "kb_article_list": {
+ "caption": "Knowledgebase Articles",
+ "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.",
+ "type": "kb_article",
+ "is_array": true
+ },
"kb_articles": {
"caption": "Knowledgebase Articles",
+ "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.",
+ "type": "string_t",
"@deprecated": {
"message": "Use the kb_article_list attribute instead.",
"since": "1.1.0"
},
- "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.",
- "is_array": true,
- "type": "string_t"
- },
- "kb_article_list": {
- "caption": "Knowledgebase Articles",
- "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.",
- "is_array": true,
- "type": "kb_article"
+ "is_array": true
},
"kernel": {
"caption": "Kernel",
@@ -2262,14 +2601,14 @@
"kill_chain": {
"caption": "Kill Chain",
"description": "The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.",
- "is_array": true,
- "type": "kill_chain_phase"
+ "type": "kill_chain_phase",
+ "is_array": true
},
"labels": {
"caption": "Labels",
"description": "The list of labels attached to an event, object, or attribute.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"lang": {
"caption": "Language",
@@ -2331,17 +2670,17 @@
"description": "The HTTP response length, in number of bytes.",
"type": "integer_t"
},
- "lineage": {
- "caption": "Lineage",
- "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].",
- "is_array": true,
- "type": "string_t"
- },
"license": {
"caption": "Software License",
"description": "The name or identifier of the license applied on package or software. See SPDX License List.",
"type": "string_t"
},
+ "lineage": {
+ "caption": "Lineage",
+ "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].",
+ "type": "string_t",
+ "is_array": true
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -2349,21 +2688,30 @@
},
"load_type": {
"caption": "Load Type",
- "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
+ "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"load_type_id": {
"caption": "Load Type ID",
- "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
- "enum": {},
+ "description": "The normalized identifier of the load type. See specific uasge.",
"sibling": "load_type",
- "type": "integer_t"
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The load type is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The load type is not mapped. See the load_type attribute, which contains a data source specific value."
+ }
+ }
},
"loaded_modules": {
"caption": "Loaded Modules",
"description": "The list of loaded module names.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"location": {
"caption": "Geo Location",
@@ -2385,6 +2733,35 @@
"description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
"type": "string_t"
},
+ "log_type": {
+ "caption": "Log Type",
+ "description": "The log type, normalized to the caption of the log_type_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "log_type_id": {
+ "caption": "Log Type ID",
+ "description": "The normalized log type identifier.",
+ "sibling": "log_type",
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The log type is unknown."
+ },
+ "1": {
+ "caption": "OS",
+ "description": "The log type is an Operating System log."
+ },
+ "2": {
+ "caption": "Application",
+ "description": "The log type is an Application log."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The log type is not mapped. See the log_type attribute, which contains a data source specific value."
+ }
+ }
+ },
"log_version": {
"caption": "Log Version",
"description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
@@ -2398,8 +2775,8 @@
"loggers": {
"caption": "Loggers",
"description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
- "is_array": true,
- "type": "logger"
+ "type": "logger",
+ "is_array": true
},
"logon_process": {
"caption": "Logon Process",
@@ -2414,11 +2791,9 @@
"logon_type_id": {
"caption": "Logon Type ID",
"description": "The normalized logon type identifier.",
+ "sibling": "logon_type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The logon type is not mapped. See the logon_type attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The logon type is unknown."
@@ -2427,22 +2802,6 @@
"caption": "System",
"description": "Used only by the System account, for example at system startup."
},
- "10": {
- "caption": "Remote Interactive",
- "description": "A remote logon using Terminal Services or remote desktop application."
- },
- "11": {
- "caption": "Cached Interactive",
- "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials."
- },
- "12": {
- "caption": "Cached Remote Interactive",
- "description": "Same as Remote Interactive. This is used for internal auditing."
- },
- "13": {
- "caption": "Cached Unlock",
- "description": "Workstation logon."
- },
"2": {
"caption": "Interactive",
"description": "A local logon to device console."
@@ -2470,10 +2829,28 @@
"9": {
"caption": "New Credentials",
"description": "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
+ },
+ "10": {
+ "caption": "Remote Interactive",
+ "description": "A remote logon using Terminal Services or remote desktop application."
+ },
+ "11": {
+ "caption": "Cached Interactive",
+ "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials."
+ },
+ "12": {
+ "caption": "Cached Remote Interactive",
+ "description": "Same as Remote Interactive. This is used for internal auditing."
+ },
+ "13": {
+ "caption": "Cached Unlock",
+ "description": "Workstation logon."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The logon type is not mapped. See the logon_type attribute, which contains a data source specific value."
}
- },
- "sibling": "logon_type",
- "type": "integer_t"
+ }
},
"long": {
"caption": "Longitude",
@@ -2488,14 +2865,25 @@
"malware": {
"caption": "Malware",
"description": "A list of Malware objects, describing details about the identified malware.",
- "is_array": true,
- "type": "malware"
+ "type": "malware",
+ "is_array": true
},
"manager": {
"caption": "Manager",
"description": "The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.",
"type": "user"
},
+ "match_details": {
+ "caption": "Match Details",
+ "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.",
+ "type": "string_t",
+ "is_array": true
+ },
+ "match_location": {
+ "caption": "Match Location",
+ "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
+ "type": "string_t"
+ },
"message": {
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
@@ -2514,8 +2902,8 @@
"metrics": {
"caption": "Metrics",
"description": "The general purpose metrics associated with the event. See specific usage.",
- "is_array": true,
- "type": "metric"
+ "type": "metric",
+ "is_array": true
},
"mime_type": {
"caption": "MIME type",
@@ -2557,6 +2945,12 @@
"description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
"type": "integer_t"
},
+ "name_servers": {
+ "caption": "Name Servers",
+ "description": "A collection of name servers related to a domain registration or other record.",
+ "is_array": true,
+ "type": "string_t"
+ },
"network_driver": {
"caption": "Network Driver",
"description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
@@ -2570,8 +2964,8 @@
"network_interfaces": {
"caption": "Network Interfaces",
"description": "The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.
", - "is_array": true, - "type": "network_interface" + "type": "network_interface", + "is_array": true }, "next_run_time": { "caption": "Next Run", @@ -2581,8 +2975,8 @@ "nist": { "caption": "NIST List", "description": "The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.", - "is_array": true, - "type": "string_t" + "type": "string_t", + "is_array": true }, "num_detections": { "caption": "Detections", @@ -2642,8 +3036,8 @@ "observables": { "caption": "Observables", "description": "The observables associated with the event or a finding.", - "is_array": true, - "type": "observable" + "type": "observable", + "is_array": true }, "office_location": { "caption": "Office Location", @@ -2657,7 +3051,9 @@ }, "opcode_id": { "caption": "DNS Opcode ID", - "description": "The DNS opcode ID specifies the normalized query message type.", + "description": "The DNS opcode ID specifies the normalized query message type as defined in RFC-5395.", + "suppress_checks": ["enum_convention"], + "type": "integer_t", "enum": { "0": { "caption": "Query", @@ -2686,9 +3082,12 @@ "6": { "caption": "DSO Message", "description": "DNS Stateful Operations (DSO)" + }, + "99": { + "caption": "Other", + "description": "The DNS Opcode is not defined by the RFC. See theopcode attribute, which contains a data source specific value."
}
- },
- "type": "integer_t"
+ }
},
"open_mask": {
"caption": "Open Mask",
@@ -2710,26 +3109,16 @@
"description": "An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.",
"type": "integer_t"
},
- "org": {
- "caption": "Organization",
- "description": "Organization and org unit relevant to the event or object.",
- "type": "organization"
- },
"orchestrator": {
"caption": "Orchestrator",
"description": "The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.",
"type": "string_t"
},
- "ou_name": {
- "caption": "Org Unit Name",
- "description": "The name of the organizational unit, within an organization. For example, Finance, IT, R&D",
- "type": "string_t"
- },
- "ou_uid": {
- "caption": "Org Unit ID",
- "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.",
- "type": "string_t"
- },
+ "org": {
+ "caption": "Organization",
+ "description": "Organization and org unit relevant to the event or object.",
+ "type": "organization"
+ },
"original_time": {
"caption": "Original Time",
"description": "The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.",
@@ -2740,6 +3129,16 @@
"description": "The endpoint operating system.",
"type": "os"
},
+ "ou_name": {
+ "caption": "Org Unit Name",
+ "description": "The name of the organizational unit, within an organization. For example, Finance, IT, R&D",
+ "type": "string_t"
+ },
+ "ou_uid": {
+ "caption": "Org Unit ID",
+ "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.",
+ "type": "string_t"
+ },
"overall_score": {
"caption": "Overall Score",
"description": "The overall score as reported by the event source. See specific usage.",
@@ -2755,20 +3154,20 @@
"description": "The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage.",
"type": "package"
},
+ "package_manager": {
+ "caption": "Package Manager",
+ "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
+ "type": "string_t"
+ },
"packages": {
+ "caption": "Software Packages",
+ "description": "List of vulnerable packages as identified by the security product",
+ "type": "package",
"@deprecated": {
"message": "Use the affected_packages attribute instead.",
"since": "1.1.0"
},
- "caption": "Software Packages",
- "description": "List of vulnerable packages as identified by the security product",
- "is_array": true,
- "type": "package"
- },
- "package_manager": {
- "caption": "Package Manager",
- "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.",
- "type": "string_t"
+ "is_array": true
},
"packet_uid": {
"caption": "Packet UID",
@@ -2833,6 +3232,8 @@
"phase_id": {
"caption": "Kill Chain Phase ID",
"description": "The cyber kill chain phase identifier.",
+ "sibling": "phase",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -2870,9 +3271,7 @@
"caption": "Other",
"description": "The kill chain phase is not mapped. See the phase attribute, which contains a data source specific value."
}
- },
- "type": "integer_t",
- "sibling": "phase"
+ }
},
"phone_number": {
"caption": "Phone Number",
@@ -2901,8 +3300,8 @@
"type": "integer_t"
},
"pid": {
- "caption": "Process ID",
"observable": 15,
+ "caption": "Process ID",
"description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
"type": "integer_t"
},
@@ -2911,15 +3310,15 @@
"description": "The unique identifier of the pod (or equivalent) that the container is executing on.",
"type": "uuid_t"
},
- "policy": {
- "caption": "Policy",
- "description": "Describes details of a policy. See specific usage.",
- "type": "policy"
- },
"policies": {
"caption": "Policies",
"description": "An array of Policy objects.",
- "is_array": true,
+ "type": "policy",
+ "is_array": true
+ },
+ "policy": {
+ "caption": "Policy",
+ "description": "Describes details of a policy. See specific usage.",
"type": "policy"
},
"port": {
@@ -2945,11 +3344,9 @@
"prev_security_level_id": {
"caption": "Previous Security Level ID",
"description": "The previous security level of the entity",
+ "sibling": "prev_security_level",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The security level is not mapped. See the prev_security_level attribute, which contains data source specific values."
- },
"0": {
"caption": "Unknown"
},
@@ -2961,16 +3358,18 @@
},
"3": {
"caption": "Compromised"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The security level is not mapped. See the prev_security_level attribute, which contains data source specific values."
}
- },
- "sibling": "prev_security_level",
- "type": "integer_t"
+ }
},
"prev_security_states": {
"caption": "Previous Security States",
"description": "The previous security states. See specific usage.",
- "is_array": true,
- "type": "security_state"
+ "type": "security_state",
+ "is_array": true
},
"priority": {
"caption": "Priority",
@@ -2980,40 +3379,40 @@
"priority_id": {
"caption": "Priority ID",
"description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.",
+ "sibling": "priority",
+ "type": "integer_t",
"enum": {
"0": {
- "description": "No priority is assigned.",
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "No priority is assigned."
},
"1": {
- "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible.",
- "caption": "Low"
+ "caption": "Low",
+ "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible."
},
"2": {
- "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available.",
- "caption": "Medium"
+ "caption": "Medium",
+ "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available."
},
"3": {
- "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.",
- "caption": "High"
+ "caption": "High",
+ "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible."
},
"4": {
- "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative.",
- "caption": "Critical"
+ "caption": "Critical",
+ "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative."
},
"99": {
- "description": "The priority is not normalized.",
- "caption": "Other"
+ "caption": "Other",
+ "description": "The priority is not normalized."
}
- },
- "sibling": "priority",
- "type": "integer_t"
+ }
},
"privileges": {
"caption": "Privileges",
"description": "The user or group privileges.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"process": {
"caption": "Process",
@@ -3037,14 +3436,18 @@
},
"profiles": {
"caption": "Profiles",
- "description": "The list of profiles used to create the event.",
- "is_array": true,
- "type": "string_t"
+ "description": "The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.",
+ "type": "string_t",
+ "is_array": true
},
"project_uid": {
"caption": "Project ID",
"description": "The unique identifier of a Cloud project.",
- "type": "string_t"
+ "type": "string_t",
+ "@deprecated": {
+ "message": "Use the account.uid attribute instead.",
+ "since": "1.4.0"
+ }
},
"protocol_name": {
"caption": "Protocol Name",
@@ -3063,10 +3466,19 @@
},
"protocol_ver_id": {
"caption": "Protocol Version ID",
- "description": "The normalized identifier of the Protocol version.",
- "enum": {},
+ "description": "The normalized identifier of the Protocol version. See specific usage.",
"sibling": "protocol_ver",
- "type": "integer_t"
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The protocol version is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The protocol version is not mapped. See the protocol_ver attribute, which contains a data source specific value."
+ }
+ }
},
"provider": {
"caption": "Provider",
@@ -3074,29 +3486,24 @@
"type": "string_t"
},
"proxy": {
+ "caption": "Proxy",
+ "description": "The proxy (server) in a network connection.",
+ "type": "network_proxy",
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
"since": "1.1.0"
- },
- "caption": "Proxy",
- "description": "The proxy (server) in a network connection.",
- "type": "network_proxy"
- },
- "proxy_endpoint": {
- "caption": "Proxy Endpoint",
- "description": "The proxy (server) in a network connection.",
- "type": "network_proxy"
- },
- "purl": {
- "caption": "Package URL",
- "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
- "type": "string_t"
+ }
},
"proxy_connection_info": {
"caption": "Proxy Connection Info",
"description": "The connection information from the proxy server to the remote server.",
"type": "network_connection_info"
},
+ "proxy_endpoint": {
+ "caption": "Proxy Endpoint",
+ "description": "The proxy (server) in a network connection.",
+ "type": "network_proxy"
+ },
"proxy_http_request": {
"caption": "Proxy HTTP Request",
"description": "The HTTP Request from the proxy server to the remote server.",
@@ -3117,6 +3524,11 @@
"description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
"type": "network_traffic"
},
+ "purl": {
+ "caption": "Package URL",
+ "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
+ "type": "string_t"
+ },
"query": {
"caption": "DNS Query",
"description": "The Domain Name System (DNS) query.",
@@ -3135,6 +3547,8 @@
"query_result_id": {
"caption": "Query Result ID",
"description": "The normalized identifier of the query result.",
+ "sibling": "query_result",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -3164,9 +3578,7 @@
"caption": "Other",
"description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value."
}
- },
- "type": "integer_t",
- "sibling": "query_result"
+ }
},
"query_string": {
"caption": "HTTP Query String",
@@ -3183,16 +3595,21 @@
"description": "The total amount of installed RAM, in Megabytes. For example: 2048.",
"type": "integer_t"
},
- "raw_header": {
- "caption": "Raw Header",
- "description": "The email authentication header.",
- "type": "string_t"
+ "rate_limit": {
+ "caption": "Rate Limit",
+ "description": "The rate limit for a rate-based rule.",
+ "type": "integer_t"
},
"raw_data": {
"caption": "Raw Data",
"description": "The raw event/finding data as received from the source.",
"type": "string_t"
},
+ "raw_header": {
+ "caption": "Raw Header",
+ "description": "The email authentication header.",
+ "type": "string_t"
+ },
"rcode": {
"caption": "Response Code",
"description": "The server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.",
@@ -3201,18 +3618,18 @@
"rcode_id": {
"caption": "Response Code ID",
"description": "The normalized identifier of the server response code. See specific usage.",
+ "sibling": "rcode",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The DNS response code is not defined by the RFC. See the rcode attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The DNS response code is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The DNS response code is not defined by the RFC. See the rcode attribute, which contains a data source specific value."
}
- },
- "sibling": "rcode",
- "type": "integer_t"
+ }
},
"rdata": {
"caption": "DNS RData",
@@ -3222,8 +3639,8 @@
"references": {
"caption": "References",
"description": "A list of reference URLs supporting the finding/detection.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"referrer": {
"caption": "HTTP Referrer",
@@ -3243,20 +3660,20 @@
"related_analytics": {
"caption": "Related Analytics",
"description": "Describes analytics related to the analytic of a finding or detection as identified by the security product.",
- "is_array": true,
- "type": "analytic"
+ "type": "analytic",
+ "is_array": true
},
"related_events": {
"caption": "Related Events",
"description": "Describes events and/or other findings related to the finding as identified by the security product.",
- "is_array": true,
- "type": "related_event"
+ "type": "related_event",
+ "is_array": true
},
"related_vulnerabilities": {
"caption": "Related Vulnerabilities",
"description": "List of vulnerabilities that are related to this vulnerability.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"relay": {
"caption": "Relay",
@@ -3301,8 +3718,8 @@
"requirements": {
"caption": "Compliance Requirements",
"description": "A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10 ",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"resource": {
"caption": "Resource",
@@ -3317,14 +3734,14 @@
"resources": {
"caption": "Resources Array",
"description": "Describes details about resources that were affected by the activity/event.",
- "is_array": true,
- "type": "resource_details"
+ "type": "resource_details",
+ "is_array": true
},
"resources_result": {
"caption": "Resource Results Array",
"description": "Updated resources after an activity/event.",
- "is_array": true,
- "type": "resource_details"
+ "type": "resource_details",
+ "is_array": true
},
"response": {
"caption": "API Response Details",
@@ -3336,14 +3753,22 @@
"description": "The Domain Name System (DNS) response time.",
"type": "timestamp_t"
},
+ "risk_details": {
+ "caption": "Risk Details",
+ "description": "Describes the risk associated with the finding.",
+ "type": "string_t"
+ },
"risk_level": {
"caption": "Risk Level",
- "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
+ "description": "The risk level, normalized to the caption of the risk_level_id value.",
"type": "string_t"
},
"risk_level_id": {
"caption": "Risk Level ID",
"description": "The normalized risk level id.",
+ "suppress_checks": ["enum_convention"],
+ "sibling": "risk_level",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Info"
@@ -3359,21 +3784,18 @@
},
"4": {
"caption": "Critical"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The risk level is not mapped. See the risk_level attribute, which contains a data source specific value."
}
- },
- "sibling": "risk_level",
- "type": "integer_t"
+ }
},
"risk_score": {
"caption": "Risk Score",
"description": "The risk score as reported by the event source.",
"type": "integer_t"
},
- "risk_details": {
- "caption": "Risk Details",
- "description": "Describes the risk associated with the finding.",
- "type": "string_t"
- },
"rpc_interface": {
"caption": "Remote Procedure Call Interface",
"description": "The RPC Interface object describes the details pertaining to the remote procedure call interface.",
@@ -3392,9 +3814,18 @@
"run_state_id": {
"caption": "Run State ID",
"description": "The normalized identifier of the state of the job or service. See specific usage.",
- "enum": {},
"sibling": "run_state",
- "type": "integer_t"
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The run state is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The run state is not mapped. See the run_state attribute, which contains a data source specific value."
+ }
+ }
},
"runtime": {
"caption": "Runtime",
@@ -3414,8 +3845,8 @@
"sans": {
"caption": "Subject Alternative Names",
"description": "The list of subject alternative names that are secured by a specific certificate.",
- "is_array": true,
- "type": "san"
+ "type": "san",
+ "is_array": true
},
"scale_factor": {
"caption": "Scale Factor",
@@ -3445,11 +3876,9 @@
"score_id": {
"caption": "Reputation Score ID",
"description": "The normalized reputation score identifier.",
+ "sibling": "score",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The reputation score is unknown."
@@ -3458,10 +3887,6 @@
"caption": "Very Safe",
"description": "Long history of good behavior."
},
- "10": {
- "caption": "Malicious",
- "description": "Proven evidence of maliciousness."
- },
"2": {
"caption": "Safe",
"description": "Consistently good behavior."
@@ -3493,19 +3918,45 @@
"9": {
"caption": "Probably Malicious",
"description": "Indicators of maliciousness."
+ },
+ "10": {
+ "caption": "Malicious",
+ "description": "Proven evidence of maliciousness."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value."
}
- },
- "sibling": "score",
- "type": "integer_t"
+ }
+ },
+ "section_a": {
+ "caption": "JA4 Section A",
+ "description": "The 'a' section of the JA4 fingerprint.",
+ "type": "string_t"
+ },
+ "section_b": {
+ "caption": "JA4 Section B",
+ "description": "The 'b' section of the JA4 fingerprint.",
+ "type": "string_t"
+ },
+ "section_c": {
+ "caption": "JA4 Section C",
+ "description": "The 'c' section of the JA4 fingerprint.",
+ "type": "string_t"
+ },
+ "section_d": {
+ "caption": "JA4 Section D",
+ "description": "The 'd' section of the JA4 fingerprint.",
+ "type": "string_t"
},
"secure": {
+ "caption": "Secure",
+ "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",
+ "type": "boolean_t",
"@deprecated": {
"message": "Use the is_secure attribute instead.",
"since": "1.1.0"
- },
- "caption": "Secure",
- "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",
- "type": "boolean_t"
+ }
},
"security_descriptor": {
"caption": "Security Descriptor",
@@ -3520,11 +3971,9 @@
"security_level_id": {
"caption": "Security Level ID",
"description": "The current security level of the entity",
+ "sibling": "security_level",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values."
- },
"0": {
"caption": "Unknown"
},
@@ -3536,22 +3985,29 @@
},
"3": {
"caption": "Compromised"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values."
}
- },
- "sibling": "security_level",
- "type": "integer_t"
+ }
},
"security_questions": {
"caption": "Security Questions",
"description": "The question(s) provided to user for a question-based authentication factor.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"security_states": {
"caption": "Security States",
"description": "The current security states. See specific usage.",
- "is_array": true,
- "type": "security_state"
+ "type": "security_state",
+ "is_array": true
+ },
+ "sensitivity": {
+ "caption": "Sensitivity",
+ "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.",
+ "type": "string_t"
},
"sequence": {
"caption": "Sequence Number",
@@ -3566,8 +4022,8 @@
"server_ciphers": {
"caption": "Server Cipher Suites",
"description": "The server cipher suites that were exchanged during the TLS handshake negotiation.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"server_hassh": {
"caption": "Server HASSH",
@@ -3592,11 +4048,9 @@
"severity_id": {
"caption": "Severity ID",
"description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "sibling": "severity", + "type": "integer_t", "enum": { - "99": { - "caption": "Other", - "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The event/finding severity is unknown."
@@ -3624,10 +4078,12 @@
"6": {
"caption": "Fatal",
"description": "An error occurred but it is too late to take remedial action."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value."
}
- },
- "sibling": "severity",
- "type": "integer_t"
+ }
},
"share": {
"caption": "Share",
@@ -3642,11 +4098,9 @@
"share_type_id": {
"caption": "Share Type Id",
"description": "The normalized identifier of the share type.",
+ "sibling": "share_type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The share type is not mapped. See the share_type attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The share type is unknown."
@@ -3659,16 +4113,29 @@
},
"3": {
"caption": "Print"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The share type is not mapped. See the share_type attribute, which contains a data source specific value."
}
- },
- "sibling": "share_type",
- "type": "integer_t"
+ }
+ },
+ "short_desc": {
+ "caption": "Short Description",
+ "description": "The short description that pertains to the object or event. See specific usage.",
+ "type": "string_t"
},
"signature": {
"caption": "Digital Signature",
"description": "The digital signature of the file.",
"type": "digital_signature"
},
+ "signatures": {
+ "caption": "Digital Signatures",
+ "description": "A collection of Digital Signature objects.",
+ "is_array": true,
+ "type": "digital_signature"
+ },
"size": {
"caption": "Size",
"description": "The size of data, in bytes.",
@@ -3687,19 +4154,14 @@
"smtp_to": {
"caption": "SMTP To",
"description": "The value of the SMTP envelope RCPT TO command.",
- "is_array": true,
- "type": "email_t"
+ "type": "email_t",
+ "is_array": true
},
"sni": {
"caption": "Server Name Indication",
"description": " The Server Name Indication (SNI) extension sent by the client.",
"type": "string_t"
},
- "spf": {
- "caption": "SPF Status",
- "description": "The Sender Policy Framework (SPF) status of the email.",
- "type": "string_t"
- },
"sp_name": {
"caption": "OS Service Pack",
"description": "The name of the latest Service Pack.",
@@ -3710,6 +4172,11 @@
"description": "The version number of the latest Service Pack.",
"type": "integer_t"
},
+ "spf": {
+ "caption": "SPF Status",
+ "description": "The Sender Policy Framework (SPF) status of the email.",
+ "type": "string_t"
+ },
"src_endpoint": {
"caption": "Source Endpoint",
"description": "The network source endpoint.",
@@ -3723,8 +4190,8 @@
"standards": {
"caption": "Security Standards",
"description": "Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"start_address": {
"caption": "Start Address",
@@ -3749,18 +4216,18 @@
"state_id": {
"caption": "State ID",
"description": "The normalized state ID of the event or object. See specific usage.",
+ "sibling": "state",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The state is not mapped. See the state attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The state is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The state is not mapped. See the state attribute, which contains a data source specific value."
}
- },
- "sibling": "state",
- "type": "integer_t"
+ }
},
"status": {
"caption": "Status",
@@ -3773,18 +4240,16 @@
"type": "string_t"
},
"status_detail": {
- "caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "caption": "Status Detail",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"type": "string_t"
},
"status_id": {
"caption": "Status ID",
"description": "The normalized identifier of the event status.",
+ "sibling": "status",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The status is unknown."
@@ -3794,10 +4259,12 @@
},
"2": {
"caption": "Failure"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
}
- },
- "sibling": "status",
- "type": "integer_t"
+ }
},
"stratum": {
"caption": "Stratum",
@@ -3807,6 +4274,8 @@
"stratum_id": {
"caption": "Stratum ID",
"description": "The normalized identifier of the stratum level, as defined in RFC-5905.",
+ "sibling": "stratum",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -3831,13 +4300,11 @@
"caption": "Other",
"description": "The stratum level is not mapped. See the stratum attribute, which contains a data source specific value."
}
- },
- "sibling": "stratum",
- "type": "integer_t"
+ }
},
"sub_technique": {
"caption": "Sub Technique",
- "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.",
"type": "sub_technique"
},
"subdomain": {
@@ -3845,6 +4312,12 @@
"description": "The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.",
"type": "string_t"
},
+ "subdomains": {
+ "caption": "Subdomains",
+ "description": "An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).",
+ "is_array": true,
+ "type": "string_t"
+ },
"subject": {
"caption": "Subject Details",
"description": "The identifier of the subject. See specific usage.",
@@ -3875,11 +4348,6 @@
"description": "The last or family name for the user.",
"type": "string_t"
},
- "is_suspected_breach": {
- "caption": "Suspected Breach",
- "description": "A determination based on analytics as to whether a potential breach was found.",
- "type": "boolean_t"
- },
"svc_name": {
"caption": "Service Name",
"description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
@@ -3897,18 +4365,18 @@
},
"tactic": {
"caption": "Tactic",
- "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix.",
"type": "tactic"
},
"tactics": {
+ "caption": "Tactics",
+ "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix.",
+ "type": "tactic",
"@deprecated": {
"message": "Use the tactic attribute instead.",
"since": "1.1.0"
},
- "caption": "Tactics",
- "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK MatrixTM.",
- "is_array": true,
- "type": "tactic"
+ "is_array": true
},
"tag": {
"caption": "Image Tag",
@@ -3922,9 +4390,14 @@
},
"technique": {
"caption": "Technique",
- "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.",
"type": "technique"
},
+ "tenant_uid": {
+ "caption": "Tenant UID",
+ "description": "The unique tenant identifier.",
+ "type": "string_t"
+ },
"terminal": {
"caption": "Terminal",
"description": "The Pseudo Terminal. Ex: the tty or pts value.",
@@ -3935,6 +4408,12 @@
"description": "The time when the entity was terminated. See specific usage.",
"type": "timestamp_t"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "is_array": true,
+ "type": "osint"
+ },
"tid": {
"caption": "Thread ID",
"description": "The Identifier of the thread associated with the event, as returned by the operating system.",
@@ -3950,16 +4429,21 @@
"description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
"type": "integer_t"
},
- "tenant_uid": {
- "caption": "Tenant UID",
- "description": "The unique tenant identifier.",
- "type": "string_t"
+ "ticket": {
+ "caption": "Ticket",
+ "description": "The linked ticket in the ticketing system.",
+ "type": "ticket"
},
"title": {
"caption": "Title",
"description": "The title of an entity. See specific usage.",
"type": "string_t"
},
+ "tlp": {
+ "caption": "Traffic Light Protocol",
+ "description": "The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+ "type": "string_t"
+ },
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
@@ -3968,14 +4452,14 @@
"tls_extension_list": {
"caption": "TLS Extension List",
"description": "The list of TLS extensions.",
- "is_array": true,
- "type": "tls_extension"
+ "type": "tls_extension",
+ "is_array": true
},
"to": {
"caption": "To",
"description": "The email header To values, as defined by RFC 5322.",
- "is_array": true,
- "type": "email_t"
+ "type": "email_t",
+ "is_array": true
},
"total": {
"caption": "Total",
@@ -4031,18 +4515,18 @@
"type_id": {
"caption": "Type ID",
"description": "The normalized type identifier of an object. See specific usage.",
+ "sibling": "type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The type is unknown."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
}
- },
- "sibling": "type",
- "type": "integer_t"
+ }
},
"type_name": {
"caption": "Type Name",
@@ -4058,8 +4542,8 @@
"types": {
"caption": "Types",
"description": "The type/s of an entity. See specific usage.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"uid": {
"caption": "Unique ID",
@@ -4091,15 +4575,9 @@
"description": "The user that pertains to the event or object.",
"type": "user"
},
- "users": {
- "caption": "Users",
- "description": "The users that pertain to the event or object.",
- "is_array": true,
- "type": "user"
- },
"user_agent": {
- "caption": "HTTP User-Agent",
"observable": 16,
+ "caption": "HTTP User-Agent",
"description": "The request header that identifies the operating system and web browser.",
"type": "string_t"
},
@@ -4108,6 +4586,12 @@
"description": "The result of the user account change. It should contain the new values of the changed attributes.",
"type": "user"
},
+ "users": {
+ "caption": "Users",
+ "description": "The users that pertain to the event or object.",
+ "type": "user",
+ "is_array": true
+ },
"uuid": {
"caption": "UUID",
"description": "The universally unique identifier. See specific usage.",
@@ -4136,6 +4620,8 @@
"verdict_id": {
"caption": "Verdict ID",
"description": "The normalized verdict of an Incident.",
+ "sibling": "verdict",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -4185,9 +4671,7 @@
"caption": "Other",
"description": "The type is not mapped. See the type attribute, which contains a data source specific value."
}
- },
- "sibling": "verdict",
- "type": "integer_t"
+ }
},
"version": {
"caption": "Version",
@@ -4207,8 +4691,8 @@
"vulnerabilities": {
"caption": "Vulnerabilities",
"description": "This object describes vulnerabilities reported in a security finding.",
- "is_array": true,
- "type": "vulnerability"
+ "type": "vulnerability",
+ "is_array": true
},
"vulnerability": {
"caption": "Vulnerability",
@@ -4218,26 +4702,31 @@
"web_resources": {
"caption": "Web Resources",
"description": "Describes details about web resources that were affected by an activity/event.",
- "is_array": true,
- "type": "web_resource"
+ "type": "web_resource",
+ "is_array": true
},
"web_resources_result": {
"caption": "Web Resources Result",
"description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
- "is_array": true,
- "type": "web_resource"
+ "type": "web_resource",
+ "is_array": true
+ },
+ "whois": {
+ "caption": "WHOIS",
+ "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "type": "whois"
},
"x_forwarded_for": {
"caption": "X-Forwarded-For",
"description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",
- "is_array": true,
- "type": "ip_t"
+ "type": "ip_t",
+ "is_array": true
},
"x_originating_ip": {
"caption": "X-Originating-IP",
"description": "The X-Originating-IP header identifying the emails originating IP address(es).",
- "is_array": true,
- "type": "ip_t"
+ "type": "ip_t",
+ "is_array": true
},
"xattributes": {
"caption": "Extended Attributes",
@@ -4248,32 +4737,6 @@
"caption": "Network Zone",
"description": "The network zone or LAN segment.",
"type": "string_t"
- },
- "condition": {
- "caption": "Condition",
- "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.",
- "type": "string_t"
- },
- "sensitivity": {
- "caption": "Sensitivity",
- "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.",
- "type": "string_t"
- },
- "match_location": {
- "caption": "Match Location",
- "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
- "type": "string_t"
- },
- "match_details": {
- "caption": "Match Details",
- "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.",
- "is_array": true,
- "type": "string_t"
- },
- "rate_limit": {
- "caption": "Rate Limit",
- "description": "The rate limit for a rate-based rule.",
- "type": "integer_t"
}
},
"types": {
@@ -4302,25 +4765,25 @@
"type_name": "String"
},
"email_t": {
+ "observable": 5,
"caption": "Email Address",
"description": "Email address. For example: john_doe@example.com.",
- "observable": 5,
"regex": "^[a-zA-Z0-9!#$%&'*+-/=?^_`{|}~.]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$",
"type": "string_t",
"type_name": "String"
},
"file_hash_t": {
- "caption": "Hash",
- "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628.",
"max_len": 64,
"observable": 8,
+ "caption": "Hash",
+ "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628.",
"type": "string_t",
"type_name": "String"
},
"file_name_t": {
+ "observable": 7,
"caption": "File Name",
"description": "File name. For example: text-file.txt.",
- "observable": 7,
"type": "string_t",
"type_name": "String"
},
@@ -4329,9 +4792,9 @@
"description": "Real floating-point value. For example: 3.14."
},
"hostname_t": {
+ "observable": 1,
"caption": "Hostname",
"description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.",
- "observable": 1,
"regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$",
"type": "string_t",
"type_name": "String"
@@ -4341,10 +4804,10 @@
"description": "Signed integer value."
},
"ip_t": {
- "caption": "IP Address",
- "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.",
"max_len": 40,
"observable": 2,
+ "caption": "IP Address",
+ "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.",
"regex": "((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))",
"type": "string_t",
"type_name": "String"
@@ -4358,50 +4821,50 @@
"description": "8-byte long, signed integer value."
},
"mac_t": {
- "caption": "MAC Address",
- "description": "Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.",
"max_len": 32,
"observable": 3,
+ "caption": "MAC Address",
+ "description": "Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.",
"regex": "^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$",
"type": "string_t",
"type_name": "String"
},
"port_t": {
- "caption": "Port",
"observable": 11,
+ "caption": "Port",
"description": "The TCP/UDP port number. For example: 80 or 22.",
+ "type": "integer_t",
+ "type_name": "Integer",
"range": [
0,
65535
- ],
- "type": "integer_t",
- "type_name": "Integer"
+ ]
},
"process_name_t": {
+ "observable": 9,
"caption": "Process Name",
"description": "Process name. For example: Notepad.",
- "observable": 9,
"type": "string_t",
"type_name": "String"
},
"resource_uid_t": {
- "caption": "Resource UID",
- "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.",
"max_len": 64,
"observable": 10,
+ "caption": "Resource UID",
+ "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.",
"type": "string_t",
"type_name": "String"
},
"string_t": {
+ "max_len": 65535,
"caption": "String",
- "description": "UTF-8 encoded byte sequence.",
- "max_len": 65535
+ "description": "UTF-8 encoded byte sequence."
},
"subnet_t": {
- "caption": "Subnet",
+ "max_len": 42,
"observable": 12,
+ "caption": "Subnet",
"description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. http://www.example.com/download/trouble.exe.",
- "observable": 6,
"type": "string_t",
"type_name": "String"
},
"username_t": {
+ "observable": 4,
"caption": "User Name",
"description": "User name. For example: john_doe.",
- "observable": 4,
"type": "string_t",
"type_name": "String"
},
@@ -4434,4 +4897,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/events/application/application_lifecycle.json b/events/application/application_lifecycle.json
index 7cdbcdaa6..ab3b01095 100644
--- a/events/application/application_lifecycle.json
+++ b/events/application/application_lifecycle.json
@@ -15,16 +15,36 @@
"requirement": "required",
"enum": {
"1": {
- "caption": "Install"
+ "caption": "Install",
+ "description": "Install the application."
},
"2": {
- "caption": "Remove"
+ "caption": "Remove",
+ "description": "Remove the application."
},
"3": {
- "caption": "Start"
+ "caption": "Start",
+ "description": "Start the application."
},
"4": {
- "caption": "Stop"
+ "caption": "Stop",
+ "description": "Stop the application."
+ },
+ "5": {
+ "caption": "Restart",
+ "description": "Restart the application."
+ },
+ "6": {
+ "caption": "Enable",
+ "description": "Enable the application."
+ },
+ "7": {
+ "caption": "Disable",
+ "description": "Disable the application."
+ },
+ "8": {
+ "caption": "Update",
+ "description": "Update the application."
}
}
},
diff --git a/events/application/file_hosting.json b/events/application/file_hosting.json
index 6b6c5a194..fce6db401 100644
--- a/events/application/file_hosting.json
+++ b/events/application/file_hosting.json
@@ -97,10 +97,15 @@
"group": "primary",
"requirement": "required"
},
+ "file_result": {
+ "description": "The resulting file object when the activity was allowed and successful.",
+ "group": "context",
+ "requirement": "optional"
+ },
"src_endpoint": {
"description": "The endpoint that performed the activity on the target file.",
"group": "primary",
"requirement": "required"
}
}
-}
\ No newline at end of file
+}
diff --git a/events/base_event.json b/events/base_event.json
index fef00766f..e2c9d32a8 100644
--- a/events/base_event.json
+++ b/events/base_event.json
@@ -5,14 +5,16 @@
"name": "base_event",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
],
"attributes": {
"$include": [
"includes/classification.json",
"includes/occurrence.json",
"profiles/cloud.json",
- "profiles/datetime.json"
+ "profiles/datetime.json",
+ "profiles/osint.json"
],
"enrichments": {
"group": "context",
diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json
index 642788997..9862d7396 100644
--- a/events/discovery/device_config_state_change.json
+++ b/events/discovery/device_config_state_change.json
@@ -1,41 +1,75 @@
{
- "caption": "Device Config State Change",
- "description": "Device Config State Change events report state changes that impact the security of the device.",
- "extends": "discovery",
- "name": "device_config_state_change",
- "uid": 19,
- "profiles": [
- "host"
- ],
- "attributes": {
- "actor": {
- "group": "context",
- "requirement": "optional"
+ "uid": 19,
+ "caption": "Device Config State Change",
+ "description": "Device Config State Change events report state changes that impact the security of the device.",
+ "extends": "discovery",
+ "name": "device_config_state_change",
+ "attributes": {
+ "actor": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "device": {
+ "description": "The device that is impacted by the state change.",
+ "group": "primary",
+ "requirement": "required"
+ },
+ "prev_security_level": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "prev_security_level_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "prev_security_states": {
+ "description": "The previous security states of the device.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_level": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_level_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_states": {
+ "description": "The current security states of the device.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "state": {
+ "caption": "Config Change State",
+ "description": "The Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "caption": "Config Change State ID",
+ "description": "The Config Change State of the managed entity.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The Config Change state is unknown."
+ },
+ "1": {
+ "caption": "Disabled",
+ "description": "Config State Changed to Disabled."
+ },
+ "2": {
+ "caption": "Enabled",
+ "description": "Config State Changed to Enabled."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The Config Change is not mapped. See the state attribute, which contains data source specific values."
+ }
+ }
+ }
},
- "device": {
- "group": "primary",
- "requirement": "required",
- "description": "The device that is impacted by the state change."
- },
- "security_level": {
- "group": "primary"
- },
- "security_level_id": {
- "group": "primary"
- },
- "security_states": {
- "description": "The current security states of the device.",
- "group": "primary"
- },
- "prev_security_level": {
- "group": "primary"
- },
- "prev_security_level_id": {
- "group": "primary"
- },
- "prev_security_states": {
- "description": "The previous security states of the device.",
- "group": "primary"
- }
- }
+ "profiles": [
+ "host"
+ ]
}
diff --git a/events/discovery/osint_inventory_info.json b/events/discovery/osint_inventory_info.json
new file mode 100644
index 000000000..a00cf5c3e
--- /dev/null
+++ b/events/discovery/osint_inventory_info.json
@@ -0,0 +1,19 @@
+{
+ "caption": "OSINT Inventory Info",
+ "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
+ "extends": "discovery",
+ "name": "osint_inventory_info",
+ "uid": 21,
+ "attributes": {
+ "actor": {
+ "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "osint": {
+ "group": "primary",
+ "requirement": "required",
+ "description": "The OSINT that is being discovered by an inventory process."
+ }
+ }
+}
\ No newline at end of file
diff --git a/events/discovery/patch_state.json b/events/discovery/patch_state.json
index 4a7c64ccb..25afd9cb9 100644
--- a/events/discovery/patch_state.json
+++ b/events/discovery/patch_state.json
@@ -8,7 +8,11 @@
"host"
],
"attributes": {
+ "$include": [
+ "profiles/host.json"
+ ],
"device": {
+ "profile": null,
"group": "primary",
"requirement": "required"
},
diff --git a/events/discovery/software_inventory_info.json b/events/discovery/software_inventory_info.json
new file mode 100644
index 000000000..86e3f7aa2
--- /dev/null
+++ b/events/discovery/software_inventory_info.json
@@ -0,0 +1,31 @@
+{
+ "caption": "Software Inventory Info",
+ "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.",
+ "extends": "discovery",
+ "name": "software_info",
+ "uid": 20,
+ "profiles": [
+ "host"
+ ],
+ "attributes": {
+ "actor": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "device": {
+ "group": "primary",
+ "requirement": "required",
+ "description": "The device that is being discovered by an inventory process."
+ },
+ "package": {
+ "group": "primary",
+ "requirement": "required",
+ "description": "The device software that is being discovered by an inventory process."
+ },
+ "product": {
+ "group": "context",
+ "requirement": "optional",
+ "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source."
+ }
+ }
+}
diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
index bf8b6f95f..e46e7602c 100644
--- a/events/findings/compliance_finding.json
+++ b/events/findings/compliance_finding.json
@@ -15,9 +15,18 @@
"requirement": "recommended"
},
"resource": {
+ "@deprecated": {
+ "message": "Use the resources attribute instead.",
+ "since": "1.3.0"
+ },
"description": "Describes details about the resource that is the subject of the compliance check.",
"group": "primary",
"requirement": "recommended"
+ },
+ "resources": {
+ "description": "Describes details about the resource/resouces that are the subject of the compliance check.",
+ "group": "primary",
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
index e97056758..674a4ea67 100644
--- a/events/findings/data_security_finding.json
+++ b/events/findings/data_security_finding.json
@@ -52,7 +52,7 @@
},
"resources": {
"caption": "Affected Resources",
- "description": "Describes details about resources twhere classified or sensitive data is stored in, or was accessed from.",
+ "description": "Describes details about resources where classified or sensitive data is stored in, or was accessed from.",
"group": "context",
"requirement": "recommended"
},
diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
index aedd77d8e..63715ade4 100644
--- a/events/findings/incident_finding.json
+++ b/events/findings/incident_finding.json
@@ -132,6 +132,10 @@
"group": "primary",
"requirement": "required"
},
+ "ticket": {
+ "group": "context",
+ "requirement": "optional"
+ },
"is_suspected_breach": {
"group": "context",
"requirement": "optional"
diff --git a/events/findings/vulnerability_finding.json b/events/findings/vulnerability_finding.json
index f4a9c4cb8..cf0af64ae 100644
--- a/events/findings/vulnerability_finding.json
+++ b/events/findings/vulnerability_finding.json
@@ -6,10 +6,20 @@
"uid": 2,
"attributes": {
"resource": {
+ "@deprecated": {
+ "message": "Use the resources attribute instead.",
+ "since": "1.3.0"
+ },
"description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
"group": "primary",
"requirement": "recommended"
},
+ "resources": {
+ "caption": "Affected Resources",
+ "description": "Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
"vulnerabilities": {
"group": "primary",
"requirement": "required"
diff --git a/events/iam/authentication.json b/events/iam/authentication.json
index c686b533f..d02864ae5 100644
--- a/events/iam/authentication.json
+++ b/events/iam/authentication.json
@@ -78,7 +78,8 @@
"description": "The attempted authentication is over a remote connection."
},
"logon_process": {
- "group": "context"
+ "group": "context",
+ "requirement": "optional"
},
"logon_type": {
"group": "primary",
diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json
index 529d479d4..c33d0cfff 100644
--- a/events/iam/entity_management.json
+++ b/events/iam/entity_management.json
@@ -8,21 +8,61 @@
"activity_id": {
"enum": {
"1": {
- "caption": "Create"
+ "caption": "Create",
+ "description": "Create a new managed entity."
},
"2": {
- "caption": "Read"
+ "caption": "Read",
+ "description": "Read an existing managed entity."
},
"3": {
- "caption": "Update"
+ "caption": "Update",
+ "description": "Update an existing managed entity."
},
"4": {
- "caption": "Delete"
+ "caption": "Delete",
+ "description": "Delete a managed entity."
+ },
+ "5": {
+ "caption": "Move",
+ "description": "Move or rename an existing managed entity."
+ },
+ "6": {
+ "caption": "Enroll",
+ "description": "Enroll an existing managed entity."
+ },
+ "7": {
+ "caption": "Unenroll",
+ "description": "Unenroll an existing managed entity."
+ },
+ "8": {
+ "caption": "Enable",
+ "description": "Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+ },
+ "9": {
+ "caption": "Disable",
+ "description": "Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+ },
+ "10": {
+ "caption": "Activate",
+ "description": "Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+ },
+ "11": {
+ "caption": "Deactivate",
+ "description": "Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+ },
+ "12": {
+ "caption": "Suspend",
+ "description": "Suspend an existing managed entity."
+ },
+ "13": {
+ "caption": "Resume",
+ "description": "Resume (unsuspend) an existing managed entity."
}
}
},
"actor": {
- "description": "Use for when the entity acting upon another entity is a process or user.",
+ "description": "Used for when the entity acting upon another entity is a process or user.",
"group": "context"
},
"comment": {
@@ -37,6 +77,14 @@
"entity_result": {
"group": "primary",
"requirement": "recommended"
+ },
+ "access_mask": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "access_list": {
+ "group": "context",
+ "requirement": "optional"
}
}
}
diff --git a/events/network/http.json b/events/network/http.json
index c951ba208..f3c2a32e6 100644
--- a/events/network/http.json
+++ b/events/network/http.json
@@ -55,7 +55,8 @@
"requirement": "required"
},
"http_status": {
- "group": "primary"
+ "group": "primary",
+ "requirement": "recommended"
},
"file": {
"description": "The file that is the target of the HTTP activity.",
diff --git a/events/network/network.json b/events/network/network.json
index dd16ceb8c..b49ee9b37 100644
--- a/events/network/network.json
+++ b/events/network/network.json
@@ -30,6 +30,10 @@
"group": "primary",
"requirement": "required"
},
+ "ja4_fingerprint_list": {
+ "group": "context",
+ "requirement": "optional"
+ },
"proxy": {
"group": "primary",
"requirement": "recommended"
@@ -37,10 +41,11 @@
"src_endpoint": {
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required"
+ "requirement": "recommended"
},
"tls": {
- "group": "primary"
+ "group": "context",
+ "requirement": "optional"
},
"traffic": {
"group": "primary",
diff --git a/events/network/tunnel_activity.json b/events/network/tunnel_activity.json
index 314471656..9cff7500e 100644
--- a/events/network/tunnel_activity.json
+++ b/events/network/tunnel_activity.json
@@ -113,9 +113,9 @@
"user"
]
},
- "constraints": {
- "at_least_one": [
- "connection_info",
+ "constraints": {
+ "at_least_one": [
+ "connection_info",
"session",
"src_endpoint",
"traffic",
diff --git a/events/remediation/file_remediation_activity.json b/events/remediation/file_remediation_activity.json
new file mode 100644
index 000000000..e6c63fa2c
--- /dev/null
+++ b/events/remediation/file_remediation_activity.json
@@ -0,0 +1,14 @@
+{
+ "caption": "File Remediation Activity",
+ "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.",
+ "extends": "remediation_activity",
+ "name": "file_remediation_activity",
+ "uid": 2,
+ "attributes": {
+ "file": {
+ "description": "The file that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required"
+ }
+ }
+ }
\ No newline at end of file
diff --git a/events/remediation/network_remediation_activity.json b/events/remediation/network_remediation_activity.json
new file mode 100644
index 000000000..f5455ff92
--- /dev/null
+++ b/events/remediation/network_remediation_activity.json
@@ -0,0 +1,14 @@
+{
+ "caption": "Network Remediation Activity",
+ "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.",
+ "extends": "remediation_activity",
+ "name": "network_remediation_activity",
+ "uid": 4,
+ "attributes": {
+ "connection_info": {
+ "description": "The network connection that pertains to the remediation event.",
+ "requirement": "required",
+ "group": "primary"
+ }
+ }
+ }
\ No newline at end of file
diff --git a/events/remediation/process_remediation_activity.json b/events/remediation/process_remediation_activity.json
new file mode 100644
index 000000000..feb15b938
--- /dev/null
+++ b/events/remediation/process_remediation_activity.json
@@ -0,0 +1,14 @@
+{
+ "caption": "Process Remediation Activity",
+ "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.",
+ "extends": "remediation_activity",
+ "name": "process_remediation_activity",
+ "uid": 3,
+ "attributes": {
+ "process": {
+ "description": "The process that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required"
+ }
+ }
+ }
\ No newline at end of file
diff --git a/events/remediation/remediation_activity.json b/events/remediation/remediation_activity.json
new file mode 100644
index 000000000..6c9384560
--- /dev/null
+++ b/events/remediation/remediation_activity.json
@@ -0,0 +1,75 @@
+{
+ "caption": "Remediation Activity",
+ "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.",
+ "name": "remediation_activity",
+ "category": "remediation",
+ "extends": "base_event",
+ "uid": 1,
+ "profiles": [
+ "host"
+ ],
+ "attributes": {
+ "$include": [
+ "profiles/host.json"
+ ],
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate."
+ },
+ "2": {
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict."
+ },
+ "3": {
+ "caption": "Restore",
+ "description": "Returns the system to a better state. Defined by D3FEND™ d3f:Restore."
+ },
+ "4": {
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden."
+ }
+ },
+ "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class."
+ },
+ "command_uid": {
+ "description": "The unique identifier of the remediation command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required"
+ },
+ "countermeasures": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "remediation": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "scan": {
+ "group": "context",
+ "description": "The remediation scan that pertains to this event.",
+ "requirement": "optional"
+ },
+ "status_id": {
+ "enum": {
+ "3": {
+ "caption": "Does Not Exist",
+ "description": "The target of the remediation does not exist."
+ },
+ "4": {
+ "caption": "Partial",
+ "description": "The remediation was partially completed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "The remediation was not supported."
+ },
+ "6": {
+ "caption": "Error",
+ "description": "There was an error during the remediation process."
+ }
+ }
+ }
+ }
+ }
\ No newline at end of file
diff --git a/events/system/event_log.json b/events/system/event_log.json
new file mode 100644
index 000000000..993d7e793
--- /dev/null
+++ b/events/system/event_log.json
@@ -0,0 +1,117 @@
+{
+ "caption": "Event Log Activity",
+ "description": "Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.",
+ "extends": "system",
+ "name": "event_log",
+ "uid": 8,
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Clear",
+ "description": "Clear the event log database, file, or cache."
+ },
+ "2": {
+ "caption": "Delete",
+ "description": "Delete the event log database, file, or cache."
+ },
+ "3": {
+ "caption": "Export",
+ "description": "Export the event log database, file, or cache."
+ },
+ "4": {
+ "caption": "Archive",
+ "description": "Archive the event log database, file, or cache."
+ },
+ "5": {
+ "caption": "Rotate",
+ "description": "Rotate the event log database, file, or cache."
+ },
+ "6": {
+ "caption": "Start",
+ "description": "Start the event logging service."
+ },
+ "7": {
+ "caption": "Stop",
+ "description": "Stop the event logging service."
+ },
+ "8": {
+ "caption": "Restart",
+ "description": "Restart the event logging service."
+ },
+ "9": {
+ "caption": "Enable",
+ "description": "Enable the event logging service."
+ },
+ "10": {
+ "caption": "Disable",
+ "description": "Disable the event logging service."
+ }
+ }
+ },
+ "actor": {
+ "description": "The actor that performed the activity.",
+ "group": "primary",
+ "profile": null,
+ "requirement": "recommended"
+ },
+ "device": {
+ "description": "The device that reported the event.",
+ "group": "primary",
+ "profile": null,
+ "requirement": "recommended"
+ },
+ "dst_endpoint": {
+ "description": "The targeted
endpoint for the event log activity.", + "group": "primary", + "requirement": "recommended" + }, + "file": { + "description": "The filetargeted by
the activity. Example:/var/log/audit.log",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "log_name": {
+ "description": "The name of the event log targeted by
the activity. Example: WindowsSecurity.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "log_provider": {
+ "description": "The logging provider or logging service targeted by
the activity.Microsoft-Windows-Security-Auditing, Auditd, or Syslog.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "log_type": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "log_type_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "src_endpoint": {
+ "description": "The source endpoint for the event log activity.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "status_code": {
+ "description": "The event status code, as reported by the event source.0, 8, or 21 for Windows ClearEventLog.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "status_detail": {
+ "description": "The status detail contains additional information about the event outcome.Success, Privilege Missing, or Invalid Parameter for Windows ClearEventLog.",
+ "group": "primary",
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "log_file",
+ "log_name",
+ "log_provider",
+ "log_type",
+ "log_type_id"
+ ]
+ }
+}
diff --git a/events/system/filesystem.json b/events/system/filesystem.json
index 22da83ae1..2d5486667 100644
--- a/events/system/filesystem.json
+++ b/events/system/filesystem.json
@@ -74,6 +74,7 @@
"requirement": "required"
},
"component": {
+ "description": "The name or relative pathname of a sub-component of the data object, if applicable.
For example:attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.",
"group": "primary",
"requirement": "recommended"
},
diff --git a/events/system/memory.json b/events/system/memory.json
index f3dcc24e2..56592a624 100644
--- a/events/system/memory.json
+++ b/events/system/memory.json
@@ -34,6 +34,10 @@
"8": {
"description": "Write (Example: WriteProcessMemory)",
"caption": "Write"
+ },
+ "9": {
+ "description": "Map View (Example: MapViewOfFile2)",
+ "caption": "Map View"
}
}
},
@@ -52,7 +56,8 @@
},
"size": {
"description": "The memory size that was access or requested.",
- "group": "primary"
+ "group": "primary",
+ "requirement": "recommended"
},
"process": {
"description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.",
diff --git a/export/schema.json b/export/schema.json
index 2c05008ef..ac3bc5762 100644
--- a/export/schema.json
+++ b/export/schema.json
@@ -106,7 +106,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -144,6 +144,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -229,7 +237,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -299,7 +307,8 @@
"name": "base_event",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
]
},
"categories": {
@@ -330,6 +339,12 @@
"description": "Network Activity events.",
"uid": 4
},
+ "remediation": {
+ "caption": "Remediation",
+ "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects.",
+ "type": "remediation",
+ "uid": 7
+ },
"system": {
"caption": "System Activity",
"description": "System Activity events.",
@@ -504,7 +519,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -549,6 +564,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"policy": {
"caption": "Policy",
"description": "Details about the IAM policy associated to the Attach/Detach Policy activities.",
@@ -648,7 +671,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -932,7 +955,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -977,6 +1000,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -1077,7 +1108,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -1167,7 +1198,8 @@
"name": "api_activity",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
],
"uid": 3
},
@@ -1299,7 +1331,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -1337,6 +1369,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -1422,7 +1462,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -1492,7 +1532,8 @@
"name": "application",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
]
},
"application_lifecycle": {
@@ -1506,16 +1547,36 @@
"description": "The event activity is unknown."
},
"1": {
- "caption": "Install"
+ "caption": "Install",
+ "description": "Install the application."
},
"2": {
- "caption": "Remove"
+ "caption": "Remove",
+ "description": "Remove the application."
},
"3": {
- "caption": "Start"
+ "caption": "Start",
+ "description": "Start the application."
},
"4": {
- "caption": "Stop"
+ "caption": "Stop",
+ "description": "Stop the application."
+ },
+ "5": {
+ "caption": "Restart",
+ "description": "Restart the application."
+ },
+ "6": {
+ "caption": "Enable",
+ "description": "Enable the application."
+ },
+ "7": {
+ "caption": "Disable",
+ "description": "Disable the application."
+ },
+ "8": {
+ "caption": "Update",
+ "description": "Update the application."
},
"99": {
"caption": "Other",
@@ -1643,7 +1704,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -1681,6 +1742,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -1766,7 +1835,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -1832,6 +1901,18 @@
"600204": {
"caption": "Application Lifecycle: Stop"
},
+ "600205": {
+ "caption": "Application Lifecycle: Restart"
+ },
+ "600206": {
+ "caption": "Application Lifecycle: Enable"
+ },
+ "600207": {
+ "caption": "Application Lifecycle: Disable"
+ },
+ "600208": {
+ "caption": "Application Lifecycle: Update"
+ },
"600299": {
"caption": "Application Lifecycle: Other"
}
@@ -2097,7 +2178,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -2251,6 +2332,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -2614,7 +2703,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -2666,6 +2755,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"privileges": {
"caption": "Privileges",
"description": "The list of sensitive privileges, assigned to the new user session.",
@@ -2773,7 +2870,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -2981,7 +3078,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -3019,6 +3116,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -3104,7 +3209,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -3174,7 +3279,8 @@
"name": "base_event",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
]
},
"compliance_finding": {
@@ -3358,7 +3464,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -3403,6 +3509,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -3425,12 +3539,24 @@
"type": "remediation"
},
"resource": {
+ "@deprecated": {
+ "message": "Use the resources attribute instead.",
+ "since": "1.3.0"
+ },
"caption": "Resource",
"description": "Describes details about the resource that is the subject of the compliance check.",
"group": "primary",
"requirement": "recommended",
"type": "resource_details"
},
+ "resources": {
+ "caption": "Resources Array",
+ "description": "Describes details about the resource/resouces that are the subject of the compliance check.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "resource_details"
+ },
"severity": {
"caption": "Severity",
"description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
@@ -3502,7 +3628,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -3751,7 +3877,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -3789,6 +3915,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -3885,7 +4019,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -4355,7 +4489,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -4465,6 +4599,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -4481,7 +4623,7 @@
},
"resources": {
"caption": "Affected Resources",
- "description": "Describes details about resources twhere classified or sensitive data is stored in, or was accessed from.",
+ "description": "Describes details about resources where classified or sensitive data is stored in, or was accessed from.",
"group": "context",
"is_array": true,
"requirement": "recommended",
@@ -4489,7 +4631,7 @@
},
"risk_level": {
"caption": "Risk Level",
- "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
+ "description": "The risk level, normalized to the caption of the risk_level_id value.",
"group": "context",
"requirement": "optional",
"type": "string_t"
@@ -4512,6 +4654,10 @@
},
"4": {
"caption": "Critical"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The risk level is not mapped. See the risk_level attribute, which contains a data source specific value."
}
},
"group": "context",
@@ -4604,7 +4750,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -5081,7 +5227,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -5139,6 +5285,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"query_info": {
"caption": "Query Info",
"description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
@@ -5238,7 +5392,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -5745,7 +5899,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -5855,6 +6009,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -5893,7 +6055,7 @@
},
"risk_level": {
"caption": "Risk Level",
- "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
+ "description": "The risk level, normalized to the caption of the risk_level_id value.",
"group": "context",
"requirement": "optional",
"type": "string_t"
@@ -5916,6 +6078,10 @@
},
"4": {
"caption": "Critical"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The risk level is not mapped. See the risk_level attribute, which contains a data source specific value."
}
},
"group": "context",
@@ -6001,7 +6167,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -6251,7 +6417,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -6289,11 +6455,19 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"prev_security_level": {
"caption": "Previous Security Level",
"description": "The previous security level of the entity",
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"prev_security_level_id": {
@@ -6318,7 +6492,7 @@
}
},
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "prev_security_level",
"type": "integer_t"
},
@@ -6327,7 +6501,7 @@
"description": "The previous security states of the device.",
"group": "primary",
"is_array": true,
- "requirement": "optional",
+ "requirement": "recommended",
"type": "security_state"
},
"raw_data": {
@@ -6359,7 +6533,7 @@
"caption": "Security Level",
"description": "The current security level of the entity",
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"security_level_id": {
@@ -6384,7 +6558,7 @@
}
},
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "security_level",
"type": "integer_t"
},
@@ -6393,7 +6567,7 @@
"description": "The current security states of the device.",
"group": "primary",
"is_array": true,
- "requirement": "optional",
+ "requirement": "recommended",
"type": "security_state"
},
"severity": {
@@ -6451,6 +6625,37 @@
"requirement": "optional",
"type": "timestamp_t"
},
+ "state": {
+ "caption": "Config Change State",
+ "description": "The Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "state_id": {
+ "caption": "Config Change State ID",
+ "description": "The Config Change State of the managed entity.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The Config Change state is unknown."
+ },
+ "1": {
+ "caption": "Disabled",
+ "description": "Config State Changed to Disabled."
+ },
+ "2": {
+ "caption": "Enabled",
+ "description": "Config State Changed to Enabled."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The Config Change is not mapped. See the state attribute, which contains data source specific values."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "state",
+ "type": "integer_t"
+ },
"status": {
"caption": "Status",
"description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
@@ -6467,7 +6672,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -6908,7 +7113,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -6937,6 +7142,14 @@
"requirement": "recommended",
"type": "boolean_t"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"lease_dur": {
"caption": "Lease Duration",
"description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.",
@@ -6990,6 +7203,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -7136,7 +7357,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -7180,7 +7401,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -7392,7 +7613,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -7430,6 +7651,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -7526,7 +7755,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -7596,7 +7825,8 @@
"name": "discovery",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
]
},
"discovery_result": {
@@ -7750,7 +7980,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -7788,6 +8018,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"query_info": {
"caption": "Query Info",
"description": "The search details associated with the query request.",
@@ -7936,7 +8174,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -8346,7 +8584,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -8368,6 +8606,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -8403,6 +8649,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -8647,7 +8901,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -8672,7 +8926,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -8716,7 +8970,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -9165,7 +9419,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"email": {
"caption": "Email",
@@ -9242,6 +9496,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -9341,7 +9603,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -9635,20 +9897,24 @@
"description": "The disposition is unknown."
},
"1": {
- "caption": "Blocked"
+ "caption": "Blocked",
+ "description": "Granted access or allowed the action to the protected resource."
},
"10": {
"caption": "Delayed",
"description": "Requires reboot to finish the operation."
},
"11": {
- "caption": "Detected"
+ "caption": "Detected",
+ "description": "A corrupt file or configuration was corrected."
},
"12": {
- "caption": "Quarantined"
+ "caption": "Quarantined",
+ "description": "A corrupt file or configuration was partially corrected."
},
"13": {
- "caption": "Restored"
+ "caption": "Restored",
+ "description": "A corrupt file or configuration was not corrected."
},
"14": {
"caption": "Exonerated",
@@ -9658,26 +9924,85 @@
"caption": "Tagged",
"description": "Marked with extended attributes."
},
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
"2": {
- "caption": "Allowed"
+ "caption": "Allowed",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
},
"3": {
- "caption": "No Action"
+ "caption": "No Action",
+ "description": "A suspicious file or other content was moved to a benign location."
},
"4": {
- "caption": "Logged"
+ "caption": "Logged",
+ "description": "A session was isolated on the network or within a browser."
},
"5": {
- "caption": "Command Script Run"
+ "caption": "Command Script Run",
+ "description": "A file or other content was deleted."
},
"6": {
- "caption": "Corrected"
+ "caption": "Corrected",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
},
"7": {
- "caption": "Partially Corrected"
+ "caption": "Partially Corrected",
+ "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
},
"8": {
- "caption": "Uncorrected"
+ "caption": "Uncorrected",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
},
"99": {
"caption": "Other",
@@ -9790,6 +10115,14 @@
"requirement": "optional",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -10351,7 +10684,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"email_uid": {
"caption": "Email UID",
@@ -10417,6 +10750,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -10502,7 +10843,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -10921,7 +11262,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"email_uid": {
"caption": "Email UID",
@@ -10979,389 +11320,460 @@
"requirement": "recommended",
"type": "observable"
},
- "raw_data": {
- "caption": "Raw Data",
- "description": "The event data as received from the event source.",
- "group": "context",
- "requirement": "optional",
- "type": "json_t"
- },
- "record_id": {
- "caption": "Record ID",
- "description": "Unique idenifier for the event",
- "group": "primary",
- "requirement": "required",
- "type": "string_t"
- },
- "severity": {
- "caption": "Severity",
- "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
- "group": "classification",
- "requirement": "optional",
- "type": "string_t"
- },
- "severity_id": {
- "caption": "Severity ID",
- "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", - "enum": { - "0": { - "caption": "Unknown", - "description": "The event severity is not known." - }, - "1": { - "caption": "Informational", - "description": "Informational message. No action required." - }, - "2": { - "caption": "Low", - "description": "The user decides if action is needed." - }, - "3": { - "caption": "Medium", - "description": "Action is required but the situation is not serious at this time." - }, - "4": { - "caption": "High", - "description": "Action is required immediately." - }, - "5": { - "caption": "Critical", - "description": "Action is required immediately and the scope is broad." - }, - "6": { - "caption": "Fatal", - "description": "An error occurred but it is too late to take remedial action." - }, - "99": { - "caption": "Other", - "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
- }
- },
- "group": "classification",
- "requirement": "required",
- "sibling": "severity",
- "type": "integer_t"
- },
- "start_time": {
- "caption": "Start Time",
- "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
- "requirement": "optional",
- "type": "timestamp_t"
- },
- "status": {
- "caption": "Status",
- "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
- "group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "status_code": {
- "caption": "Status Code",
- "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
- }
- },
- "group": "primary",
- "requirement": "recommended",
- "sibling": "status",
- "type": "integer_t"
- },
- "time": {
- "caption": "Event Time",
- "description": "The normalized event occurrence time or the finding creation time.",
- "requirement": "required",
- "type": "timestamp_t"
- },
- "timezone_offset": {
- "caption": "Timezone Offset",
- "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
- "requirement": "recommended",
- "type": "integer_t"
- },
- "type_name": {
- "caption": "Type Name",
- "description": "The event/finding type name, as defined by the type_uid.",
- "requirement": "optional",
- "type": "string_t"
- },
- "type_uid": {
- "caption": "Type ID",
- "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
- "enum": {
- "401200": {
- "caption": "Email URL Activity: Unknown"
- },
- "401201": {
- "caption": "Email URL Activity: Send"
- },
- "401202": {
- "caption": "Email URL Activity: Receive"
- },
- "401203": {
- "caption": "Email URL Activity: Scan"
- },
- "401299": {
- "caption": "Email URL Activity: Other"
- }
- },
- "requirement": "required",
- "sibling": "type_name",
- "type": "long_t"
- },
- "unmapped": {
- "caption": "Unmapped Data",
- "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
- "group": "context",
- "is_array": true,
- "requirement": "optional",
- "type": "unmapped"
- },
- "url": {
- "caption": "URL",
- "description": "The URL included in the email content.",
- "group": "primary",
- "observable": 23,
- "requirement": "required",
- "type": "url"
- }
- },
- "caption": "Email URL Activity",
- "category": "network",
- "description": "Email URL Activity events report URLs within an email.",
- "extends": "base_event",
- "name": "email_url_activity",
- "profiles": [
- "host",
- "security_control"
- ],
- "uid": 12
- },
- "entity_management": {
- "attributes": {
- "activity_id": {
- "caption": "Activity ID",
- "description": "The normalized identifier of the activity that triggered the event.",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The event activity is unknown."
- },
- "1": {
- "caption": "Create"
- },
- "2": {
- "caption": "Read"
- },
- "3": {
- "caption": "Update"
- },
- "4": {
- "caption": "Delete"
- },
- "99": {
- "caption": "Other",
- "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
- }
- },
- "requirement": "required",
- "sibling": "activity_name",
- "type": "integer_t"
- },
- "activity_name": {
- "caption": "Activity",
- "description": "The event activity name, as defined by the activity_id.",
- "requirement": "optional",
- "type": "string_t"
- },
- "actor": {
- "caption": "Actor",
- "description": "Use for when the entity acting upon another entity is a process or user.",
- "group": "context",
- "requirement": "optional",
- "type": "actor"
- },
- "api": {
- "caption": "API Details",
- "description": "Describes details about a typical API (Application Programming Interface) call.",
- "group": "context",
- "requirement": "optional",
- "type": "api"
- },
- "category_name": {
- "caption": "Category",
- "description": "The event category name, as defined by category_uid value.",
- "requirement": "optional",
- "type": "string_t"
- },
- "category_uid": {
- "caption": "Category ID",
- "description": "The category unique identifier of the event.",
- "enum": {
- "3": {
- "caption": "Identity & Access Management",
- "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc."
- }
- },
- "requirement": "required",
- "sibling": "category_name",
- "type": "integer_t"
- },
- "class_name": {
- "caption": "Class",
- "description": "The event class name, as defined by class_uid value.",
- "requirement": "optional",
- "type": "string_t"
- },
- "class_uid": {
- "caption": "Class ID",
- "description": "The unique identifier of a class. A class describes the attributes available in an event.",
- "enum": {
- "3004": {
- "caption": "Entity Management",
- "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity."
- }
- },
- "requirement": "required",
- "sibling": "class_name",
- "type": "integer_t"
- },
- "cloud": {
- "caption": "Cloud",
- "description": "Describes details about the Cloud environment where the event was originally created or logged.",
- "group": "primary",
- "requirement": "required",
- "type": "cloud"
- },
- "comment": {
- "caption": "Comment",
- "description": "The user provided comment about why the entity was changed.",
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "confidence": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "caption": "Confidence",
- "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
- "group": "classification",
- "requirement": "optional",
- "type": "integer_t"
- },
- "count": {
- "caption": "Count",
- "default": 1,
- "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
- "requirement": "optional",
- "type": "integer_t"
- },
- "data": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "caption": "Data",
- "description": "Additional data that is associated with the event.",
- "requirement": "optional",
- "type": "json_t"
- },
- "device": {
- "caption": "Device",
- "description": "An addressable device, computer system or host.",
- "requirement": "recommended",
- "type": "device"
- },
- "duration": {
- "caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
- "requirement": "optional",
- "type": "integer_t"
- },
- "end_time": {
- "caption": "End Time",
- "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
- "requirement": "optional",
- "type": "timestamp_t"
- },
- "enrichments": {
- "caption": "Enrichments",
- "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
- "group": "context",
"is_array": true,
- "requirement": "optional",
- "type": "enrichment"
- },
- "entity": {
- "caption": "Entity",
- "description": "The managed entity that is being acted upon.",
- "group": "primary",
- "requirement": "required",
- "type": "managed_entity"
- },
- "entity_result": {
- "caption": "Entity Result",
- "description": "The updated managed entity.",
- "group": "primary",
- "requirement": "recommended",
- "type": "managed_entity"
- },
- "http_request": {
- "caption": "HTTP Request",
- "description": "Details about the underlying HTTP request.",
- "group": "context",
- "requirement": "optional",
- "type": "http_request"
- },
- "message": {
- "caption": "Message",
- "description": "The description of the event/finding, as defined by the source.",
- "group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "metadata": {
- "caption": "Metadata",
- "description": "The metadata associated with the event or a finding.",
- "group": "context",
"requirement": "required",
- "type": "metadata"
- },
- "observables": {
- "caption": "Observables",
- "description": "The observables associated with the event or a finding.",
- "group": "primary",
- "is_array": true,
- "requirement": "recommended",
- "type": "observable"
+ "type": "osint"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "401200": {
+ "caption": "Email URL Activity: Unknown"
+ },
+ "401201": {
+ "caption": "Email URL Activity: Send"
+ },
+ "401202": {
+ "caption": "Email URL Activity: Receive"
+ },
+ "401203": {
+ "caption": "Email URL Activity: Scan"
+ },
+ "401299": {
+ "caption": "Email URL Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "url": {
+ "caption": "URL",
+ "description": "The URL included in the email content.",
+ "group": "primary",
+ "observable": 23,
+ "requirement": "required",
+ "type": "url"
+ }
+ },
+ "caption": "Email URL Activity",
+ "category": "network",
+ "description": "Email URL Activity events report URLs within an email.",
+ "extends": "base_event",
+ "name": "email_url_activity",
+ "profiles": [
+ "host",
+ "security_control"
+ ],
+ "uid": 12
+ },
+ "entity_management": {
+ "attributes": {
+ "access_list": {
+ "caption": "Access List",
+ "description": "The list of requested access rights.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "access_mask": {
+ "caption": "Access Mask",
+ "description": "The access mask in a platform-native format.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Create",
+ "description": "Create a new managed entity."
+ },
+ "10": {
+ "caption": "Activate",
+ "description": "Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+ },
+ "11": {
+ "caption": "Deactivate",
+ "description": "Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+ },
+ "12": {
+ "caption": "Suspend",
+ "description": "Suspend an existing managed entity."
+ },
+ "13": {
+ "caption": "Resume",
+ "description": "Resume (unsuspend) an existing managed entity."
+ },
+ "2": {
+ "caption": "Read",
+ "description": "Read an existing managed entity."
+ },
+ "3": {
+ "caption": "Update",
+ "description": "Update an existing managed entity."
+ },
+ "4": {
+ "caption": "Delete",
+ "description": "Delete a managed entity."
+ },
+ "5": {
+ "caption": "Move",
+ "description": "Move or rename an existing managed entity."
+ },
+ "6": {
+ "caption": "Enroll",
+ "description": "Enroll an existing managed entity."
+ },
+ "7": {
+ "caption": "Unenroll",
+ "description": "Unenroll an existing managed entity."
+ },
+ "8": {
+ "caption": "Enable",
+ "description": "Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+ },
+ "9": {
+ "caption": "Disable",
+ "description": "Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "Used for when the entity acting upon another entity is a process or user.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "3": {
+ "caption": "Identity & Access Management",
+ "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "3004": {
+ "caption": "Entity Management",
+ "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "comment": {
+ "caption": "Comment",
+ "description": "The user provided comment about why the entity was changed.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "entity": {
+ "caption": "Entity",
+ "description": "The managed entity that is being acted upon.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "managed_entity"
+ },
+ "entity_result": {
+ "caption": "Entity Result",
+ "description": "The updated managed entity.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "managed_entity"
+ },
+ "http_request": {
+ "caption": "HTTP Request",
+ "description": "Details about the underlying HTTP request.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "http_request"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
},
"raw_data": {
"caption": "Raw Data",
@@ -11455,7 +11867,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -11521,8 +11933,708 @@
"300404": {
"caption": "Entity Management: Delete"
},
- "300499": {
- "caption": "Entity Management: Other"
+ "300405": {
+ "caption": "Entity Management: Move"
+ },
+ "300406": {
+ "caption": "Entity Management: Enroll"
+ },
+ "300407": {
+ "caption": "Entity Management: Unenroll"
+ },
+ "300408": {
+ "caption": "Entity Management: Enable"
+ },
+ "300409": {
+ "caption": "Entity Management: Disable"
+ },
+ "300410": {
+ "caption": "Entity Management: Activate"
+ },
+ "300411": {
+ "caption": "Entity Management: Deactivate"
+ },
+ "300412": {
+ "caption": "Entity Management: Suspend"
+ },
+ "300413": {
+ "caption": "Entity Management: Resume"
+ },
+ "300499": {
+ "caption": "Entity Management: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Entity Management",
+ "category": "iam",
+ "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.",
+ "extends": "iam",
+ "name": "entity_management",
+ "profiles": [
+ "host"
+ ],
+ "uid": 4
+ },
+ "event_log": {
+ "associations": {
+ "actor.user": [
+ "device"
+ ],
+ "device": [
+ "actor.user"
+ ]
+ },
+ "attributes": {
+ "action": {
+ "caption": "Action",
+ "description": "The normalized caption of action_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "action_id": {
+ "caption": "Action ID",
+ "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'."
+ },
+ "1": {
+ "caption": "Allowed",
+ "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc."
+ },
+ "2": {
+ "caption": "Denied",
+ "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The action was not mapped. See the action attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "action",
+ "type": "integer_t"
+ },
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Clear",
+ "description": "Clear the event log database, file, or cache."
+ },
+ "10": {
+ "caption": "Disable",
+ "description": "Disable the event logging service."
+ },
+ "2": {
+ "caption": "Delete",
+ "description": "Delete the event log database, file, or cache."
+ },
+ "3": {
+ "caption": "Export",
+ "description": "Export the event log database, file, or cache."
+ },
+ "4": {
+ "caption": "Archive",
+ "description": "Archive the event log database, file, or cache."
+ },
+ "5": {
+ "caption": "Rotate",
+ "description": "Rotate the event log database, file, or cache."
+ },
+ "6": {
+ "caption": "Start",
+ "description": "Start the event logging service."
+ },
+ "7": {
+ "caption": "Stop",
+ "description": "Stop the event logging service."
+ },
+ "8": {
+ "caption": "Restart",
+ "description": "Restart the event logging service."
+ },
+ "9": {
+ "caption": "Enable",
+ "description": "Enable the event logging service."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor that performed the activity.",
+ "group": "primary",
+ "profile": null,
+ "requirement": "recommended",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "attacks": {
+ "caption": "MITRE ATT&CK\u00ae Details",
+ "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "attack"
+ },
+ "authorizations": {
+ "caption": "Authorization Information",
+ "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "authorization"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "1": {
+ "caption": "System Activity",
+ "description": "System Activity events."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "1008": {
+ "caption": "Event Log Activity",
+ "description": "Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "The device that reported the event.",
+ "group": "primary",
+ "profile": null,
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "disposition": {
+ "caption": "Disposition",
+ "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "disposition_id": {
+ "caption": "Disposition ID",
+ "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The disposition was not known."
+ },
+ "1": {
+ "caption": "Allowed",
+ "description": "Granted access or allowed the action to the protected resource."
+ },
+ "10": {
+ "caption": "Exonerated",
+ "description": "Requires reboot to finish the operation."
+ },
+ "11": {
+ "caption": "Corrected",
+ "description": "A corrupt file or configuration was corrected."
+ },
+ "12": {
+ "caption": "Partially Corrected",
+ "description": "A corrupt file or configuration was partially corrected."
+ },
+ "13": {
+ "caption": "Uncorrected",
+ "description": "A corrupt file or configuration was not corrected."
+ },
+ "14": {
+ "caption": "Delayed",
+ "description": "No longer suspicious (re-scored)."
+ },
+ "15": {
+ "caption": "Detected",
+ "description": "Marked with extended attributes."
+ },
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
+ "2": {
+ "caption": "Blocked",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
+ },
+ "3": {
+ "caption": "Quarantined",
+ "description": "A suspicious file or other content was moved to a benign location."
+ },
+ "4": {
+ "caption": "Isolated",
+ "description": "A session was isolated on the network or within a browser."
+ },
+ "5": {
+ "caption": "Deleted",
+ "description": "A file or other content was deleted."
+ },
+ "6": {
+ "caption": "Dropped",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
+ },
+ "7": {
+ "caption": "Custom Action",
+ "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
+ },
+ "8": {
+ "caption": "Approved",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "disposition",
+ "type": "integer_t"
+ },
+ "dst_endpoint": {
+ "caption": "Destination Endpoint",
+ "description": "The targeted
endpoint for the event log activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers fromstart_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "file": {
+ "caption": "File",
+ "description": "The file targeted by
the activity. Example:/var/log/audit.log",
+ "group": "primary",
+ "observable": 24,
+ "requirement": "recommended",
+ "type": "file"
+ },
+ "firewall_rule": {
+ "caption": "Firewall Rule",
+ "description": "The firewall rule that triggered the event.",
+ "requirement": "optional",
+ "type": "firewall_rule"
+ },
+ "log_name": {
+ "caption": "Log Name",
+ "description": "The name of the event log targeted by
the activity. Example: WindowsSecurity.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "log_provider": {
+ "caption": "Log Provider",
+ "description": "The logging provider or logging service targeted by
the activity.Microsoft-Windows-Security-Auditing, Auditd, or Syslog.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "log_type": {
+ "caption": "Log Type",
+ "description": "The log type, normalized to the caption of the log_type_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "log_type_id": {
+ "caption": "Log Type ID",
+ "description": "The normalized log type identifier.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The log type is unknown."
+ },
+ "1": {
+ "caption": "OS",
+ "description": "The log type is an Operating System log."
+ },
+ "2": {
+ "caption": "Application",
+ "description": "The log type is an Application log."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The log type is not mapped. See the log_type attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "log_type",
+ "type": "integer_t"
+ },
+ "malware": {
+ "caption": "Malware",
+ "description": "A list of Malware objects, describing details about the identified malware.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "malware"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "src_endpoint": {
+ "caption": "Source Endpoint",
+ "description": "The source endpoint for the event log activity.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "network_endpoint"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.0, 8, or 21 for Windows ClearEventLog.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_detail": {
+ "caption": "Status Details",
+ "description": "The status detail contains additional information about the event outcome.Success, Privilege Missing, or Invalid Parameter for Windows ClearEventLog.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_id": {
+ "caption": "Status ID",
+ "description": "The normalized identifier of the event status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The status is unknown."
+ },
+ "1": {
+ "caption": "Success"
+ },
+ "2": {
+ "caption": "Failure"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "100800": {
+ "caption": "Event Log Activity: Unknown"
+ },
+ "100801": {
+ "caption": "Event Log Activity: Clear"
+ },
+ "100802": {
+ "caption": "Event Log Activity: Delete"
+ },
+ "100803": {
+ "caption": "Event Log Activity: Export"
+ },
+ "100804": {
+ "caption": "Event Log Activity: Archive"
+ },
+ "100805": {
+ "caption": "Event Log Activity: Rotate"
+ },
+ "100806": {
+ "caption": "Event Log Activity: Start"
+ },
+ "100807": {
+ "caption": "Event Log Activity: Stop"
+ },
+ "100808": {
+ "caption": "Event Log Activity: Restart"
+ },
+ "100809": {
+ "caption": "Event Log Activity: Enable"
+ },
+ "100810": {
+ "caption": "Event Log Activity: Disable"
+ },
+ "100899": {
+ "caption": "Event Log Activity: Other"
}
},
"requirement": "required",
@@ -11538,15 +12650,25 @@
"type": "unmapped"
}
},
- "caption": "Entity Management",
- "category": "iam",
- "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.",
- "extends": "iam",
- "name": "entity_management",
+ "caption": "Event Log Activity",
+ "category": "system",
+ "constraints": {
+ "at_least_one": [
+ "log_file",
+ "log_name",
+ "log_provider",
+ "log_type",
+ "log_type_id"
+ ]
+ },
+ "description": "Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.",
+ "extends": "system",
+ "name": "event_log",
"profiles": [
- "host"
+ "host",
+ "security_control"
],
- "uid": 4
+ "uid": 8
},
"file_activity": {
"associations": {
@@ -11939,7 +13061,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -12013,6 +13135,499 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "100100": {
+ "caption": "File System Activity: Unknown"
+ },
+ "100101": {
+ "caption": "File System Activity: Create"
+ },
+ "100102": {
+ "caption": "File System Activity: Read"
+ },
+ "100103": {
+ "caption": "File System Activity: Update"
+ },
+ "100104": {
+ "caption": "File System Activity: Delete"
+ },
+ "100105": {
+ "caption": "File System Activity: Rename"
+ },
+ "100106": {
+ "caption": "File System Activity: Set Attributes"
+ },
+ "100107": {
+ "caption": "File System Activity: Set Security"
+ },
+ "100108": {
+ "caption": "File System Activity: Get Attributes"
+ },
+ "100109": {
+ "caption": "File System Activity: Get Security"
+ },
+ "100110": {
+ "caption": "File System Activity: Encrypt"
+ },
+ "100111": {
+ "caption": "File System Activity: Decrypt"
+ },
+ "100112": {
+ "caption": "File System Activity: Mount"
+ },
+ "100113": {
+ "caption": "File System Activity: Unmount"
+ },
+ "100114": {
+ "caption": "File System Activity: Open"
+ },
+ "100199": {
+ "caption": "File System Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "File System Activity",
+ "category": "system",
+ "description": "File System Activity events report when a process performs an action on a file or folder.",
+ "extends": "system",
+ "name": "file_activity",
+ "profiles": [
+ "host",
+ "security_control"
+ ],
+ "uid": 1
+ },
+ "file_hosting": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Upload",
+ "description": "Upload a file."
+ },
+ "10": {
+ "caption": "Lock",
+ "description": "Lock a file."
+ },
+ "11": {
+ "caption": "Unlock",
+ "description": "Unlock a file."
+ },
+ "12": {
+ "caption": "Share",
+ "description": "Share a file."
+ },
+ "13": {
+ "caption": "Unshare",
+ "description": "Unshare a file."
+ },
+ "14": {
+ "caption": "Open",
+ "description": "Open a file."
+ },
+ "15": {
+ "caption": "Sync",
+ "description": "Mark a file or folder to sync with a computer."
+ },
+ "16": {
+ "caption": "Unsync",
+ "description": "Mark a file or folder to not sync with a computer."
+ },
+ "2": {
+ "caption": "Download",
+ "description": "Download a file."
+ },
+ "3": {
+ "caption": "Update",
+ "description": "Update a file."
+ },
+ "4": {
+ "caption": "Delete",
+ "description": "Delete a file."
+ },
+ "5": {
+ "caption": "Rename",
+ "description": "Rename a file."
+ },
+ "6": {
+ "caption": "Copy",
+ "description": "Copy a file."
+ },
+ "7": {
+ "caption": "Move",
+ "description": "Move a file."
+ },
+ "8": {
+ "caption": "Restore",
+ "description": "Restore a file."
+ },
+ "9": {
+ "caption": "Preview",
+ "description": "Preview a file."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Actor",
+ "description": "The actor that performed the activity on the target file.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "6": {
+ "caption": "Application Activity",
+ "description": "Application Activity events report detailed information about the behavior of applications and services."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "6006": {
+ "caption": "File Hosting Activity",
+ "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "connection_info": {
+ "caption": "Connection Info",
+ "description": "The network connection information.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "network_connection_info"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Device",
+ "description": "The device that reported the event.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "dst_endpoint": {
+ "caption": "Destination Endpoint",
+ "description": "The endpoint that received the activity on the target file.",
+ "requirement": "recommended",
+ "type": "network_endpoint"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "expiration_time": {
+ "caption": "Expiration Time",
+ "description": "The share expiration time.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "file": {
+ "caption": "File",
+ "description": "The file that is the target of the activity.",
+ "group": "primary",
+ "observable": 24,
+ "requirement": "required",
+ "type": "file"
+ },
+ "file_result": {
+ "caption": "File Result",
+ "description": "The resulting file object when the activity was allowed and successful.",
+ "group": "context",
+ "observable": 24,
+ "requirement": "optional",
+ "type": "file"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -12076,6 +13691,13 @@
"sibling": "severity",
"type": "integer_t"
},
+ "src_endpoint": {
+ "caption": "Source Endpoint",
+ "description": "The endpoint that performed the activity on the target file.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "network_endpoint"
+ },
"start_time": {
"caption": "Start Time",
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
@@ -12098,7 +13720,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -12149,53 +13771,59 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "100100": {
- "caption": "File System Activity: Unknown"
+ "600600": {
+ "caption": "File Hosting Activity: Unknown"
},
- "100101": {
- "caption": "File System Activity: Create"
+ "600601": {
+ "caption": "File Hosting Activity: Upload"
},
- "100102": {
- "caption": "File System Activity: Read"
+ "600602": {
+ "caption": "File Hosting Activity: Download"
},
- "100103": {
- "caption": "File System Activity: Update"
+ "600603": {
+ "caption": "File Hosting Activity: Update"
},
- "100104": {
- "caption": "File System Activity: Delete"
+ "600604": {
+ "caption": "File Hosting Activity: Delete"
},
- "100105": {
- "caption": "File System Activity: Rename"
+ "600605": {
+ "caption": "File Hosting Activity: Rename"
},
- "100106": {
- "caption": "File System Activity: Set Attributes"
+ "600606": {
+ "caption": "File Hosting Activity: Copy"
},
- "100107": {
- "caption": "File System Activity: Set Security"
+ "600607": {
+ "caption": "File Hosting Activity: Move"
},
- "100108": {
- "caption": "File System Activity: Get Attributes"
+ "600608": {
+ "caption": "File Hosting Activity: Restore"
},
- "100109": {
- "caption": "File System Activity: Get Security"
+ "600609": {
+ "caption": "File Hosting Activity: Preview"
},
- "100110": {
- "caption": "File System Activity: Encrypt"
+ "600610": {
+ "caption": "File Hosting Activity: Lock"
},
- "100111": {
- "caption": "File System Activity: Decrypt"
+ "600611": {
+ "caption": "File Hosting Activity: Unlock"
},
- "100112": {
- "caption": "File System Activity: Mount"
+ "600612": {
+ "caption": "File Hosting Activity: Share"
},
- "100113": {
- "caption": "File System Activity: Unmount"
+ "600613": {
+ "caption": "File Hosting Activity: Unshare"
},
- "100114": {
- "caption": "File System Activity: Open"
+ "600614": {
+ "caption": "File Hosting Activity: Open"
},
- "100199": {
- "caption": "File System Activity: Other"
+ "600615": {
+ "caption": "File Hosting Activity: Sync"
+ },
+ "600616": {
+ "caption": "File Hosting Activity: Unsync"
+ },
+ "600699": {
+ "caption": "File Hosting Activity: Other"
}
},
"requirement": "required",
@@ -12211,90 +13839,43 @@
"type": "unmapped"
}
},
- "caption": "File System Activity",
- "category": "system",
- "description": "File System Activity events report when a process performs an action on a file or folder.",
- "extends": "system",
- "name": "file_activity",
+ "caption": "File Hosting Activity",
+ "category": "application",
+ "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.",
+ "extends": "application",
+ "name": "file_hosting",
"profiles": [
- "host",
- "security_control"
+ "cloud",
+ "datetime",
+ "osint"
],
- "uid": 1
+ "uid": 6
},
- "file_hosting": {
+ "file_remediation_activity": {
"attributes": {
"activity_id": {
"caption": "Activity ID",
- "description": "The normalized identifier of the activity that triggered the event.",
+ "description": "Matches the MITRE D3FEND\u2122 Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
"1": {
- "caption": "Upload",
- "description": "Upload a file."
- },
- "10": {
- "caption": "Lock",
- "description": "Lock a file."
- },
- "11": {
- "caption": "Unlock",
- "description": "Unlock a file."
- },
- "12": {
- "caption": "Share",
- "description": "Share a file."
- },
- "13": {
- "caption": "Unshare",
- "description": "Unshare a file."
- },
- "14": {
- "caption": "Open",
- "description": "Open a file."
- },
- "15": {
- "caption": "Sync",
- "description": "Mark a file or folder to sync with a computer."
- },
- "16": {
- "caption": "Unsync",
- "description": "Mark a file or folder to not sync with a computer."
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND\u2122 d3f:Isolate."
},
"2": {
- "caption": "Download",
- "description": "Download a file."
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND\u2122 d3f:Evict."
},
"3": {
- "caption": "Update",
- "description": "Update a file."
- },
- "4": {
- "caption": "Delete",
- "description": "Delete a file."
- },
- "5": {
- "caption": "Rename",
- "description": "Rename a file."
- },
- "6": {
- "caption": "Copy",
- "description": "Copy a file."
- },
- "7": {
- "caption": "Move",
- "description": "Move a file."
- },
- "8": {
"caption": "Restore",
- "description": "Restore a file."
+ "description": "Returns the system to a better state. Defined by D3FEND\u2122 d3f:Restore."
},
- "9": {
- "caption": "Preview",
- "description": "Preview a file."
+ "4": {
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND\u2122 d3f:Harden."
},
"99": {
"caption": "Other",
@@ -12312,14 +13893,9 @@
"type": "string_t"
},
"actor": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"caption": "Actor",
- "description": "The actor that performed the activity on the target file.",
- "group": "primary",
- "requirement": "required",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "requirement": "optional",
"type": "actor"
},
"api": {
@@ -12339,9 +13915,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "6": {
- "caption": "Application Activity",
- "description": "Application Activity events report detailed information about the behavior of applications and services."
+ "7": {
+ "caption": "Remediation",
+ "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects."
}
},
"requirement": "required",
@@ -12358,9 +13934,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "6006": {
- "caption": "File Hosting Activity",
- "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive."
+ "7002": {
+ "caption": "File Remediation Activity",
+ "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Sub-techniques will include File, such as File Removal or Restore File."
}
},
"requirement": "required",
@@ -12374,6 +13950,13 @@
"requirement": "required",
"type": "cloud"
},
+ "command_uid": {
+ "caption": "Command UID",
+ "description": "The unique identifier of the remediation command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
"confidence": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -12385,13 +13968,6 @@
"requirement": "optional",
"type": "integer_t"
},
- "connection_info": {
- "caption": "Connection Info",
- "description": "The network connection information.",
- "group": "context",
- "requirement": "optional",
- "type": "network_connection_info"
- },
"count": {
"caption": "Count",
"default": 1,
@@ -12399,6 +13975,14 @@
"requirement": "optional",
"type": "integer_t"
},
+ "countermeasures": {
+ "caption": "Countermeasures",
+ "description": "The MITRE DEFEND\u2122 Matrix Countermeasures associated with a remediation.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "d3fend"
+ },
"data": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -12410,26 +13994,16 @@
"type": "json_t"
},
"device": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"caption": "Device",
- "description": "The device that reported the event.",
+ "description": "An addressable device, computer system or host.",
"requirement": "recommended",
"type": "device"
},
- "dst_endpoint": {
- "caption": "Destination Endpoint",
- "description": "The endpoint that received the activity on the target file.",
- "requirement": "recommended",
- "type": "network_endpoint"
- },
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -12445,16 +14019,9 @@
"requirement": "optional",
"type": "enrichment"
},
- "expiration_time": {
- "caption": "Expiration Time",
- "description": "The share expiration time.",
- "group": "context",
- "requirement": "optional",
- "type": "timestamp_t"
- },
"file": {
"caption": "File",
- "description": "The file that is the target of the activity.",
+ "description": "The file that pertains to the remediation event.",
"group": "primary",
"observable": 24,
"requirement": "required",
@@ -12482,6 +14049,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -12496,6 +14071,20 @@
"requirement": "required",
"type": "string_t"
},
+ "remediation": {
+ "caption": "Remediation Guidance",
+ "description": "Describes the recommended remediation steps to address identified issue(s).",
+ "group": "context",
+ "requirement": "optional",
+ "type": "remediation"
+ },
+ "scan": {
+ "caption": "Scan",
+ "description": "The remediation scan that pertains to this event.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "scan"
+ },
"severity": {
"caption": "Severity",
"description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
@@ -12545,13 +14134,6 @@
"sibling": "severity",
"type": "integer_t"
},
- "src_endpoint": {
- "caption": "Source Endpoint",
- "description": "The endpoint that performed the activity on the target file.",
- "group": "primary",
- "requirement": "required",
- "type": "network_endpoint"
- },
"start_time": {
"caption": "Start Time",
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
@@ -12574,7 +14156,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -12593,6 +14175,22 @@
"2": {
"caption": "Failure"
},
+ "3": {
+ "caption": "Does Not Exist",
+ "description": "The target of the remediation does not exist."
+ },
+ "4": {
+ "caption": "Partial",
+ "description": "The remediation was partially completed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "The remediation was not supported."
+ },
+ "6": {
+ "caption": "Error",
+ "description": "There was an error during the remediation process."
+ },
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
@@ -12625,59 +14223,23 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "600600": {
- "caption": "File Hosting Activity: Unknown"
- },
- "600601": {
- "caption": "File Hosting Activity: Upload"
- },
- "600602": {
- "caption": "File Hosting Activity: Download"
- },
- "600603": {
- "caption": "File Hosting Activity: Update"
- },
- "600604": {
- "caption": "File Hosting Activity: Delete"
- },
- "600605": {
- "caption": "File Hosting Activity: Rename"
- },
- "600606": {
- "caption": "File Hosting Activity: Copy"
- },
- "600607": {
- "caption": "File Hosting Activity: Move"
- },
- "600608": {
- "caption": "File Hosting Activity: Restore"
- },
- "600609": {
- "caption": "File Hosting Activity: Preview"
- },
- "600610": {
- "caption": "File Hosting Activity: Lock"
+ "700200": {
+ "caption": "File Remediation Activity: Unknown"
},
- "600611": {
- "caption": "File Hosting Activity: Unlock"
+ "700201": {
+ "caption": "File Remediation Activity: Isolate"
},
- "600612": {
- "caption": "File Hosting Activity: Share"
- },
- "600613": {
- "caption": "File Hosting Activity: Unshare"
+ "700202": {
+ "caption": "File Remediation Activity: Evict"
},
- "600614": {
- "caption": "File Hosting Activity: Open"
+ "700203": {
+ "caption": "File Remediation Activity: Restore"
},
- "600615": {
- "caption": "File Hosting Activity: Sync"
+ "700204": {
+ "caption": "File Remediation Activity: Harden"
},
- "600616": {
- "caption": "File Hosting Activity: Unsync"
- },
- "600699": {
- "caption": "File Hosting Activity: Other"
+ "700299": {
+ "caption": "File Remediation Activity: Other"
}
},
"requirement": "required",
@@ -12693,16 +14255,15 @@
"type": "unmapped"
}
},
- "caption": "File Hosting Activity",
- "category": "application",
- "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.",
- "extends": "application",
- "name": "file_hosting",
+ "caption": "File Remediation Activity",
+ "category": "remediation",
+ "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Sub-techniques will include File, such as File Removal or Restore File.",
+ "extends": "remediation_activity",
+ "name": "file_remediation_activity",
"profiles": [
- "cloud",
- "datetime"
+ "host"
],
- "uid": 6
+ "uid": 2
},
"finding": {
"attributes": {
@@ -12877,7 +14438,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -12922,6 +14483,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -13007,7 +14576,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -13454,7 +15023,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -13484,6 +15053,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -13526,6 +15103,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"port": {
"caption": "Port",
"description": "The dynamic port established for impending data transfers.",
@@ -13648,7 +15233,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -13673,7 +15258,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -13717,7 +15302,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -13941,7 +15526,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -13993,6 +15578,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"privileges": {
"caption": "Privileges",
"description": "A list of privileges assigned to the group.",
@@ -14100,7 +15693,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -14563,7 +16156,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -14623,9 +16216,17 @@
"caption": "HTTP Status",
"description": "The Hypertext Transfer Protocol (HTTP) status code returned to the client.",
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "integer_t"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -14661,6 +16262,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -14775,7 +16384,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -14800,7 +16409,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -14844,7 +16453,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -15042,7 +16651,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -15087,6 +16696,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -15179,7 +16796,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -15442,7 +17059,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -15539,6 +17156,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"priority": {
"caption": "Priority",
"description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.",
@@ -15673,7 +17298,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -15716,6 +17341,13 @@
"sibling": "status",
"type": "integer_t"
},
+ "ticket": {
+ "caption": "Ticket",
+ "description": "The linked ticket in the ticketing system.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "ticket"
+ },
"time": {
"caption": "Event Time",
"description": "The normalized event occurrence time or the finding creation time.",
@@ -15845,7 +17477,8 @@
"name": "incident_finding",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
],
"uid": 5
},
@@ -15991,7 +17624,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -16029,6 +17662,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -16125,7 +17766,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -16531,7 +18172,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -16589,6 +18230,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -16674,7 +18323,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -17090,7 +18739,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -17141,6 +18790,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -17226,7 +18883,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -17391,6 +19048,10 @@
"caption": "Write",
"description": "Write (Example: WriteProcessMemory)"
},
+ "9": {
+ "caption": "Map View",
+ "description": "Map View (Example: MapViewOfFile2)"
+ },
"99": {
"caption": "Other",
"description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
@@ -17663,7 +19324,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -17714,6 +19375,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"process": {
"caption": "Process",
"description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.",
@@ -17796,7 +19465,7 @@
"caption": "Size",
"description": "The memory size that was access or requested.",
"group": "primary",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "long_t"
},
"start_time": {
@@ -17821,7 +19490,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -17899,6 +19568,9 @@
"100408": {
"caption": "Memory Activity: Write"
},
+ "100409": {
+ "caption": "Memory Activity: Map View"
+ },
"100499": {
"caption": "Memory Activity: Other"
}
@@ -18240,7 +19912,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -18298,6 +19970,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -18383,7 +20063,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -18788,7 +20468,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -18810,6 +20490,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -18845,6 +20533,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -18959,7 +20655,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -18984,7 +20680,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -19028,7 +20724,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -19138,6 +20834,10 @@
"caption": "Traffic",
"description": "Network traffic report."
},
+ "7": {
+ "caption": "Listen",
+ "description": "A network endpoint began listening for new network connections."
+ },
"99": {
"caption": "Other",
"description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
@@ -19415,7 +21115,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -19437,6 +21137,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -19472,6 +21180,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -19586,7 +21302,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -19611,7 +21327,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -19655,7 +21371,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -19697,6 +21413,9 @@
"400106": {
"caption": "Network Activity: Traffic"
},
+ "400107": {
+ "caption": "Network Activity: Listen"
+ },
"400199": {
"caption": "Network Activity: Other"
}
@@ -20122,7 +21841,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -20159,6 +21878,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -20194,6 +21921,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -20333,7 +22068,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -20377,7 +22112,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -20479,6 +22214,419 @@
],
"uid": 10
},
+ "network_remediation_activity": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "Matches the MITRE D3FEND\u2122 Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND\u2122 d3f:Isolate."
+ },
+ "2": {
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND\u2122 d3f:Evict."
+ },
+ "3": {
+ "caption": "Restore",
+ "description": "Returns the system to a better state. Defined by D3FEND\u2122 d3f:Restore."
+ },
+ "4": {
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND\u2122 d3f:Harden."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "7": {
+ "caption": "Remediation",
+ "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "7004": {
+ "caption": "Network Remediation Activity",
+ "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "command_uid": {
+ "caption": "Command UID",
+ "description": "The unique identifier of the remediation command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "connection_info": {
+ "caption": "Connection Info",
+ "description": "The network connection that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "network_connection_info"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "countermeasures": {
+ "caption": "Countermeasures",
+ "description": "The MITRE DEFEND\u2122 Matrix Countermeasures associated with a remediation.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "d3fend"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "remediation": {
+ "caption": "Remediation Guidance",
+ "description": "Describes the recommended remediation steps to address identified issue(s).",
+ "group": "context",
+ "requirement": "optional",
+ "type": "remediation"
+ },
+ "scan": {
+ "caption": "Scan",
+ "description": "The remediation scan that pertains to this event.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "scan"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "700400": {
+ "caption": "Network Remediation Activity: Unknown"
+ },
+ "700401": {
+ "caption": "Network Remediation Activity: Isolate"
+ },
+ "700402": {
+ "caption": "Network Remediation Activity: Evict"
+ },
+ "700403": {
+ "caption": "Network Remediation Activity: Restore"
+ },
+ "700404": {
+ "caption": "Network Remediation Activity: Harden"
+ },
+ "700499": {
+ "caption": "Network Remediation Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Network Remediation Activity",
+ "category": "remediation",
+ "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.",
+ "extends": "remediation_activity",
+ "name": "network_remediation_activity",
+ "profiles": [
+ "host"
+ ],
+ "uid": 4
+ },
"ntp_activity": {
"attributes": {
"action": {
@@ -20839,7 +22987,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -20861,6 +23009,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -20896,6 +23052,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"precision": {
"caption": "Precision",
"description": "The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905.",
@@ -21017,7 +23181,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -21042,7 +23206,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -21126,7 +23290,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -21208,6 +23372,372 @@
],
"uid": 13
},
+ "osint_inventory_info": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Log",
+ "description": "The discovered information is via a log."
+ },
+ "2": {
+ "caption": "Collect",
+ "description": "The discovered information is via a collection process."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "5": {
+ "caption": "Discovery",
+ "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "5021": {
+ "caption": "OSINT Inventory Info",
+ "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "command_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Command UID",
+ "description": "The unique identifier of the discovery command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT that is being discovered by an inventory process.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "scan_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Scan UID",
+ "description": "The unique identifier of the discovery scan request that pertains to this event.",
+ "group": "primary",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "502100": {
+ "caption": "OSINT Inventory Info: Unknown"
+ },
+ "502101": {
+ "caption": "OSINT Inventory Info: Log"
+ },
+ "502102": {
+ "caption": "OSINT Inventory Info: Collect"
+ },
+ "502199": {
+ "caption": "OSINT Inventory Info: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "OSINT Inventory Info",
+ "category": "discovery",
+ "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
+ "extends": "discovery",
+ "name": "osint_inventory_info",
+ "profiles": [
+ "cloud",
+ "datetime",
+ "osint"
+ ],
+ "uid": 21
+ },
"patch_state": {
"attributes": {
"activity_id": {
@@ -21342,6 +23872,7 @@
"caption": "Device",
"description": "An addressable device, computer system or host.",
"group": "primary",
+ "profile": null,
"requirement": "recommended",
"type": "device"
},
@@ -21349,7 +23880,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -21395,6 +23926,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -21491,7 +24030,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -21737,7 +24276,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -21775,6 +24314,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"peripheral_device": {
"caption": "Peripheral Device",
"description": "The peripheral device that triggered the event.",
@@ -21930,7 +24477,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -22176,9 +24723,9 @@
},
"duration": {
"caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -22230,6 +24777,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"query_info": {
"caption": "Query Info",
"description": "The search details associated with the query request.",
@@ -22385,7 +24940,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -22811,7 +25366,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -22861,6 +25416,9 @@
"2": {
"caption": "Load Library"
},
+ "3": {
+ "caption": "Queue APC"
+ },
"99": {
"caption": "Other",
"description": "The injection type is not mapped. See the injection_type attribute, which contains a data source specific value."
@@ -22907,6 +25465,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"process": {
"caption": "Process",
"description": "The process that was launched, injected into, opened, or terminated.",
@@ -23007,7 +25573,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -23104,6 +25670,420 @@
],
"uid": 7
},
+ "process_remediation_activity": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "Matches the MITRE D3FEND\u2122 Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND\u2122 d3f:Isolate."
+ },
+ "2": {
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND\u2122 d3f:Evict."
+ },
+ "3": {
+ "caption": "Restore",
+ "description": "Returns the system to a better state. Defined by D3FEND\u2122 d3f:Restore."
+ },
+ "4": {
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND\u2122 d3f:Harden."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "7": {
+ "caption": "Remediation",
+ "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "7003": {
+ "caption": "Process Remediation Activity",
+ "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "command_uid": {
+ "caption": "Command UID",
+ "description": "The unique identifier of the remediation command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "countermeasures": {
+ "caption": "Countermeasures",
+ "description": "The MITRE DEFEND\u2122 Matrix Countermeasures associated with a remediation.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "d3fend"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "process": {
+ "caption": "Process",
+ "description": "The process that pertains to the remediation event.",
+ "group": "primary",
+ "observable": 25,
+ "requirement": "required",
+ "type": "process"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "remediation": {
+ "caption": "Remediation Guidance",
+ "description": "Describes the recommended remediation steps to address identified issue(s).",
+ "group": "context",
+ "requirement": "optional",
+ "type": "remediation"
+ },
+ "scan": {
+ "caption": "Scan",
+ "description": "The remediation scan that pertains to this event.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "scan"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "700300": {
+ "caption": "Process Remediation Activity: Unknown"
+ },
+ "700301": {
+ "caption": "Process Remediation Activity: Isolate"
+ },
+ "700302": {
+ "caption": "Process Remediation Activity: Evict"
+ },
+ "700303": {
+ "caption": "Process Remediation Activity: Restore"
+ },
+ "700304": {
+ "caption": "Process Remediation Activity: Harden"
+ },
+ "700399": {
+ "caption": "Process Remediation Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Process Remediation Activity",
+ "category": "remediation",
+ "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.",
+ "extends": "remediation_activity",
+ "name": "process_remediation_activity",
+ "profiles": [
+ "host"
+ ],
+ "uid": 3
+ },
"rdp_activity": {
"attributes": {
"action": {
@@ -23461,7 +26441,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -23498,6 +26478,14 @@
"requirement": "optional",
"type": "string_t"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -23533,6 +26521,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"protocol_ver": {
"caption": "RDP Version",
"description": "The Remote Desktop Protocol version.",
@@ -23674,7 +26670,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -23699,7 +26695,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -23743,7 +26739,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -24161,9 +27157,9 @@
},
"duration": {
"caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -24221,6 +27217,14 @@
"requirement": "recommended",
"type": "integer_t"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"prev_reg_key": {
"caption": "Previous Registry Key",
"description": "The registry key before the mutation",
@@ -24332,7 +27336,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -24592,9 +27596,9 @@
},
"duration": {
"caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -24632,6 +27636,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"query_info": {
"caption": "Query Info",
"description": "The search details associated with the query request.",
@@ -24788,7 +27800,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -25202,9 +28214,9 @@
},
"duration": {
"caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -25255,6 +28267,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"prev_reg_value": {
"caption": "Previous Registry Value",
"description": "The registry value before the mutation",
@@ -25363,7 +28383,456 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_id": {
+ "caption": "Status ID",
+ "description": "The normalized identifier of the event status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The status is unknown."
+ },
+ "1": {
+ "caption": "Success"
+ },
+ "2": {
+ "caption": "Failure"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "20100200": {
+ "caption": "Registry Value Activity: Unknown"
+ },
+ "20100201": {
+ "caption": "Registry Value Activity: Get"
+ },
+ "20100202": {
+ "caption": "Registry Value Activity: Set"
+ },
+ "20100203": {
+ "caption": "Registry Value Activity: Modify"
+ },
+ "20100204": {
+ "caption": "Registry Value Activity: Delete"
+ },
+ "20100299": {
+ "caption": "Registry Value Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Registry Value Activity",
+ "category": "system",
+ "description": "Registry Value Activity events reports when a process performs an action on a Windows registry value.",
+ "extends": "system",
+ "extension": "windows",
+ "name": "registry_value_activity",
+ "profiles": [
+ "host",
+ "security_control"
+ ],
+ "uid": 2
+ },
+ "registry_value_query": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Query",
+ "description": "The target was found."
+ },
+ "2": {
+ "caption": "Partial",
+ "description": "The target was partially found."
+ },
+ "3": {
+ "caption": "Does not exist",
+ "description": "The target was not found."
+ },
+ "4": {
+ "caption": "Error",
+ "description": "The discovery attempt failed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "Discovery of the target was not supported."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "5": {
+ "caption": "Discovery",
+ "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "205005": {
+ "caption": "Registry Value Query",
+ "description": "Registry Value Query events report information about discovered Windows registry values."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "command_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Command UID",
+ "description": "The unique identifier of the discovery command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "query_info": {
+ "caption": "Query Info",
+ "description": "The search details associated with the query request.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "query_info"
+ },
+ "query_result": {
+ "caption": "Query Result",
+ "description": "The result of the query.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "query_result_id": {
+ "caption": "Query Result ID",
+ "description": "The normalized identifier of the query result.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The query result is unknown."
+ },
+ "1": {
+ "caption": "Exists",
+ "description": "The target was found."
+ },
+ "2": {
+ "caption": "Partial",
+ "description": "The target was partially found."
+ },
+ "3": {
+ "caption": "Does not exist",
+ "description": "The target was not found."
+ },
+ "4": {
+ "caption": "Error",
+ "description": "The discovery attempt failed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "Discovery of the target was not supported."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "required",
+ "sibling": "query_result",
+ "type": "integer_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "reg_value": {
+ "caption": "Registry Value",
+ "description": "The registry value that pertains to the event.",
+ "group": "primary",
+ "observable": 29,
+ "requirement": "required",
+ "type": "reg_value"
+ },
+ "scan_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Scan UID",
+ "description": "The unique identifier of the discovery scan request that pertains to this event.",
+ "group": "primary",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.class_uid * 100 + activity_id.",
"enum": {
- "20100200": {
- "caption": "Registry Value Activity: Unknown"
+ "20500500": {
+ "caption": "Registry Value Query: Unknown"
},
- "20100201": {
- "caption": "Registry Value Activity: Get"
+ "20500501": {
+ "caption": "Registry Value Query: Query"
},
- "20100202": {
- "caption": "Registry Value Activity: Set"
+ "20500502": {
+ "caption": "Registry Value Query: Partial"
},
- "20100203": {
- "caption": "Registry Value Activity: Modify"
+ "20500503": {
+ "caption": "Registry Value Query: Does not exist"
},
- "20100204": {
- "caption": "Registry Value Activity: Delete"
+ "20500504": {
+ "caption": "Registry Value Query: Error"
},
- "20100299": {
- "caption": "Registry Value Activity: Other"
+ "20500505": {
+ "caption": "Registry Value Query: Unsupported"
+ },
+ "20500599": {
+ "caption": "Registry Value Query: Other"
}
},
"requirement": "required",
@@ -25446,47 +28918,42 @@
"type": "unmapped"
}
},
- "caption": "Registry Value Activity",
- "category": "system",
- "description": "Registry Value Activity events reports when a process performs an action on a Windows registry value.",
- "extends": "system",
+ "caption": "Registry Value Query",
+ "category": "discovery",
+ "description": "Registry Value Query events report information about discovered Windows registry values.",
+ "extends": "discovery_result",
"extension": "windows",
- "name": "registry_value_activity",
+ "name": "registry_value_query",
"profiles": [
- "host",
- "security_control"
+ "host"
],
- "uid": 2
+ "uid": 5
},
- "registry_value_query": {
+ "remediation_activity": {
"attributes": {
"activity_id": {
"caption": "Activity ID",
- "description": "The normalized identifier of the activity that triggered the event.",
+ "description": "Matches the MITRE D3FEND\u2122 Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
"1": {
- "caption": "Query",
- "description": "The target was found."
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND\u2122 d3f:Isolate."
},
"2": {
- "caption": "Partial",
- "description": "The target was partially found."
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND\u2122 d3f:Evict."
},
"3": {
- "caption": "Does not exist",
- "description": "The target was not found."
+ "caption": "Restore",
+ "description": "Returns the system to a better state. Defined by D3FEND\u2122 d3f:Restore."
},
"4": {
- "caption": "Error",
- "description": "The discovery attempt failed."
- },
- "5": {
- "caption": "Unsupported",
- "description": "Discovery of the target was not supported."
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND\u2122 d3f:Harden."
},
"99": {
"caption": "Other",
@@ -25526,9 +28993,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "5": {
- "caption": "Discovery",
- "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
+ "7": {
+ "caption": "Remediation",
+ "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects."
}
},
"requirement": "required",
@@ -25545,9 +29012,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "205005": {
- "caption": "Registry Value Query",
- "description": "Registry Value Query events report information about discovered Windows registry values."
+ "7001": {
+ "caption": "Remediation Activity",
+ "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix."
}
},
"requirement": "required",
@@ -25562,12 +29029,8 @@
"type": "cloud"
},
"command_uid": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"caption": "Command UID",
- "description": "The unique identifier of the discovery command that pertains to this event.",
+ "description": "The unique identifier of the remediation command that pertains to this event.",
"group": "primary",
"requirement": "required",
"type": "string_t"
@@ -25590,6 +29053,14 @@
"requirement": "optional",
"type": "integer_t"
},
+ "countermeasures": {
+ "caption": "Countermeasures",
+ "description": "The MITRE DEFEND\u2122 Matrix Countermeasures associated with a remediation.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "d3fend"
+ },
"data": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -25610,7 +29081,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -25648,57 +29119,13 @@
"requirement": "recommended",
"type": "observable"
},
- "query_info": {
- "caption": "Query Info",
- "description": "The search details associated with the query request.",
- "group": "primary",
- "requirement": "recommended",
- "type": "query_info"
- },
- "query_result": {
- "caption": "Query Result",
- "description": "The result of the query.",
- "group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "query_result_id": {
- "caption": "Query Result ID",
- "description": "The normalized identifier of the query result.",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The query result is unknown."
- },
- "1": {
- "caption": "Exists",
- "description": "The target was found."
- },
- "2": {
- "caption": "Partial",
- "description": "The target was partially found."
- },
- "3": {
- "caption": "Does not exist",
- "description": "The target was not found."
- },
- "4": {
- "caption": "Error",
- "description": "The discovery attempt failed."
- },
- "5": {
- "caption": "Unsupported",
- "description": "Discovery of the target was not supported."
- },
- "99": {
- "caption": "Other",
- "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value."
- }
- },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"group": "primary",
+ "is_array": true,
"requirement": "required",
- "sibling": "query_result",
- "type": "integer_t"
+ "type": "osint"
},
"raw_data": {
"caption": "Raw Data",
@@ -25714,24 +29141,19 @@
"requirement": "required",
"type": "string_t"
},
- "reg_value": {
- "caption": "Registry Value",
- "description": "The registry value that pertains to the event.",
- "group": "primary",
- "observable": 29,
- "requirement": "required",
- "type": "reg_value"
+ "remediation": {
+ "caption": "Remediation Guidance",
+ "description": "Describes the recommended remediation steps to address identified issue(s).",
+ "group": "context",
+ "requirement": "optional",
+ "type": "remediation"
},
- "scan_uid": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "caption": "Scan UID",
- "description": "The unique identifier of the discovery scan request that pertains to this event.",
- "group": "primary",
+ "scan": {
+ "caption": "Scan",
+ "description": "The remediation scan that pertains to this event.",
+ "group": "context",
"requirement": "optional",
- "type": "string_t"
+ "type": "scan"
},
"severity": {
"caption": "Severity",
@@ -25804,7 +29226,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -25823,6 +29245,22 @@
"2": {
"caption": "Failure"
},
+ "3": {
+ "caption": "Does Not Exist",
+ "description": "The target of the remediation does not exist."
+ },
+ "4": {
+ "caption": "Partial",
+ "description": "The remediation was partially completed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "The remediation was not supported."
+ },
+ "6": {
+ "caption": "Error",
+ "description": "There was an error during the remediation process."
+ },
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
@@ -25855,26 +29293,23 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "20500500": {
- "caption": "Registry Value Query: Unknown"
+ "700100": {
+ "caption": "Remediation Activity: Unknown"
},
- "20500501": {
- "caption": "Registry Value Query: Query"
+ "700101": {
+ "caption": "Remediation Activity: Isolate"
},
- "20500502": {
- "caption": "Registry Value Query: Partial"
+ "700102": {
+ "caption": "Remediation Activity: Evict"
},
- "20500503": {
- "caption": "Registry Value Query: Does not exist"
+ "700103": {
+ "caption": "Remediation Activity: Restore"
},
- "20500504": {
- "caption": "Registry Value Query: Error"
+ "700104": {
+ "caption": "Remediation Activity: Harden"
},
- "20500505": {
- "caption": "Registry Value Query: Unsupported"
- },
- "20500599": {
- "caption": "Registry Value Query: Other"
+ "700199": {
+ "caption": "Remediation Activity: Other"
}
},
"requirement": "required",
@@ -25890,16 +29325,15 @@
"type": "unmapped"
}
},
- "caption": "Registry Value Query",
- "category": "discovery",
- "description": "Registry Value Query events report information about discovered Windows registry values.",
- "extends": "discovery_result",
- "extension": "windows",
- "name": "registry_value_query",
+ "caption": "Remediation Activity",
+ "category": "remediation",
+ "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND\u2122 Matrix.",
+ "extends": "base_event",
+ "name": "remediation_activity",
"profiles": [
"host"
],
- "uid": 5
+ "uid": 1
},
"resource_activity": {
"associations": {
@@ -26209,9 +29643,9 @@
},
"duration": {
"caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -26262,6 +29696,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -26358,7 +29800,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -26619,7 +30061,7 @@
"caption": "Duration",
"description": "The duration of the scan",
"requirement": "recommended",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -26720,6 +30162,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"policy": {
"caption": "Policy",
"description": "The policy associated with this Scan event; required if the scan was initiated by a policy.",
@@ -26826,7 +30276,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -27269,7 +30719,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -27327,6 +30777,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -27412,7 +30870,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -27737,20 +31195,24 @@
"description": "The disposition is unknown."
},
"1": {
- "caption": "Blocked"
+ "caption": "Blocked",
+ "description": "Granted access or allowed the action to the protected resource."
},
"10": {
"caption": "Delayed",
"description": "Requires reboot to finish the operation."
},
"11": {
- "caption": "Detected"
+ "caption": "Detected",
+ "description": "A corrupt file or configuration was corrected."
},
"12": {
- "caption": "Quarantined"
+ "caption": "Quarantined",
+ "description": "A corrupt file or configuration was partially corrected."
},
"13": {
- "caption": "Restored"
+ "caption": "Restored",
+ "description": "A corrupt file or configuration was not corrected."
},
"14": {
"caption": "Exonerated",
@@ -27760,26 +31222,85 @@
"caption": "Tagged",
"description": "Marked with extended attributes."
},
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
"2": {
- "caption": "Allowed"
+ "caption": "Allowed",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
},
"3": {
- "caption": "No Action"
+ "caption": "No Action",
+ "description": "A suspicious file or other content was moved to a benign location."
},
"4": {
- "caption": "Logged"
+ "caption": "Logged",
+ "description": "A session was isolated on the network or within a browser."
},
"5": {
- "caption": "Command Script Run"
+ "caption": "Command Script Run",
+ "description": "A file or other content was deleted."
},
"6": {
- "caption": "Corrected"
+ "caption": "Corrected",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
},
"7": {
- "caption": "Partially Corrected"
+ "caption": "Partially Corrected",
+ "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
},
"8": {
- "caption": "Uncorrected"
+ "caption": "Uncorrected",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
},
"99": {
"caption": "Other",
@@ -27794,7 +31315,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -27918,6 +31439,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"process": {
"caption": "Process",
"description": "The process object.",
@@ -27950,7 +31479,7 @@
},
"risk_level": {
"caption": "Risk Level",
- "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
+ "description": "The risk level, normalized to the caption of the risk_level_id value.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -27973,6 +31502,10 @@
},
"4": {
"caption": "Critical"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The risk level is not mapped. See the risk_level attribute, which contains a data source specific value."
}
},
"group": "primary",
@@ -28099,7 +31632,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -28194,7 +31727,8 @@
"name": "security_finding",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
],
"uid": 1
},
@@ -28350,7 +31884,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -28388,6 +31922,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"query_info": {
"caption": "Query Info",
"description": "The search details associated with the query request.",
@@ -28543,7 +32085,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -29010,7 +32552,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -29040,6 +32582,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -29082,6 +32632,14 @@
"requirement": "recommended",
"type": "string_t"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"proxy": {
"@deprecated": {
"message": "Use the proxy_endpoint attribute instead.",
@@ -29244,7 +32802,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -29269,7 +32827,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -29313,7 +32871,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -29392,6 +32950,391 @@
],
"uid": 6
},
+ "software_info": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Log",
+ "description": "The discovered information is via a log."
+ },
+ "2": {
+ "caption": "Collect",
+ "description": "The discovered information is via a collection process."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "5": {
+ "caption": "Discovery",
+ "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "5020": {
+ "caption": "Software Inventory Info",
+ "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "command_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Command UID",
+ "description": "The unique identifier of the discovery command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "package": {
+ "caption": "Software Package",
+ "description": "The device software that is being discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "package"
+ },
+ "product": {
+ "caption": "Product",
+ "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "product"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "scan_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Scan UID",
+ "description": "The unique identifier of the discovery scan request that pertains to this event.",
+ "group": "primary",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "502000": {
+ "caption": "Software Inventory Info: Unknown"
+ },
+ "502001": {
+ "caption": "Software Inventory Info: Log"
+ },
+ "502002": {
+ "caption": "Software Inventory Info: Collect"
+ },
+ "502099": {
+ "caption": "Software Inventory Info: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Software Inventory Info",
+ "category": "discovery",
+ "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.",
+ "extends": "discovery",
+ "name": "software_info",
+ "profiles": [
+ "host"
+ ],
+ "uid": 20
+ },
"ssh_activity": {
"attributes": {
"action": {
@@ -29457,6 +33400,10 @@
"caption": "Traffic",
"description": "Network traffic report."
},
+ "7": {
+ "caption": "Listen",
+ "description": "A network endpoint began listening for new network connections."
+ },
"99": {
"caption": "Other",
"description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
@@ -29790,7 +33737,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -29820,6 +33767,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -29855,6 +33810,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"protocol_ver": {
"caption": "SSH Version",
"description": "The Secure Shell Protocol version.",
@@ -29983,7 +33946,7 @@
"caption": "Source Endpoint",
"description": "The initiator (client) of the network connection.",
"group": "primary",
- "requirement": "required",
+ "requirement": "recommended",
"type": "network_endpoint"
},
"start_time": {
@@ -30008,7 +33971,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -30052,7 +34015,7 @@
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
- "group": "primary",
+ "group": "context",
"requirement": "optional",
"type": "tls"
},
@@ -30094,6 +34057,9 @@
"400706": {
"caption": "SSH Activity: Traffic"
},
+ "400707": {
+ "caption": "SSH Activity: Listen"
+ },
"400799": {
"caption": "SSH Activity: Other"
}
@@ -30430,7 +34396,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -30481,6 +34447,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -30566,7 +34540,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -30979,7 +34953,7 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -31001,6 +34975,14 @@
"requirement": "optional",
"type": "firewall_rule"
},
+ "ja4_fingerprint_list": {
+ "caption": "JA4+ Fingerprints",
+ "description": "A list of the JA4+ network fingerprints.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "ja4_fingerprint"
+ },
"load_balancer": {
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
@@ -31036,6 +35018,14 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
"protocol_name": {
"caption": "Tunnel Protocol",
"description": "The networking protocol associated with the tunnel. E.g. IPSec, SSL, GRE.",
@@ -31189,7 +35179,457 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_id": {
+ "caption": "Status ID",
+ "description": "The normalized identifier of the event status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The status is unknown."
+ },
+ "1": {
+ "caption": "Success"
+ },
+ "2": {
+ "caption": "Failure"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "status",
+ "type": "integer_t"
+ },
+ "time": {
+ "caption": "Event Time",
+ "description": "The normalized event occurrence time or the finding creation time.",
+ "requirement": "required",
+ "type": "timestamp_t"
+ },
+ "timezone_offset": {
+ "caption": "Timezone Offset",
+ "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "tls": {
+ "caption": "TLS",
+ "description": "The Transport Layer Security (TLS) attributes.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "tls"
+ },
+ "traffic": {
+ "caption": "Traffic",
+ "description": "Traffic refers to the amount of data moving across the tunnel at a given point of time. Ex: bytes_in and bytes_out.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "network_traffic"
+ },
+ "tunnel_interface": {
+ "caption": "Tunnel Interface",
+ "description": "The information about the virtual tunnel interface, e.g. utun0. This is usually associated with the private (rfc-1918) ip of the tunnel.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "network_interface"
+ },
+ "tunnel_type": {
+ "caption": "Type",
+ "description": "The tunnel type. Example: Split or Full.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "tunnel_type_id": {
+ "caption": "Type",
+ "description": "The normalized tunnel type ID.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Split Tunnel"
+ },
+ "2": {
+ "caption": "Full Tunnel"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "group": "primary",
+ "requirement": "recommended",
+ "sibling": "tunnel_type",
+ "type": "integer_t"
+ },
+ "type_name": {
+ "caption": "Type Name",
+ "description": "The event/finding type name, as defined by the type_uid.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_uid": {
+ "caption": "Type ID",
+ "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
+ "enum": {
+ "401400": {
+ "caption": "Tunnel Activity: Unknown"
+ },
+ "401401": {
+ "caption": "Tunnel Activity: Open"
+ },
+ "401402": {
+ "caption": "Tunnel Activity: Close"
+ },
+ "401403": {
+ "caption": "Tunnel Activity: Renew"
+ },
+ "401499": {
+ "caption": "Tunnel Activity: Other"
+ }
+ },
+ "requirement": "required",
+ "sibling": "type_name",
+ "type": "long_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "user": {
+ "caption": "User",
+ "description": "The user associated with the tunnel activity.",
+ "group": "primary",
+ "observable": 21,
+ "requirement": "recommended",
+ "type": "user"
+ }
+ },
+ "caption": "Tunnel Activity",
+ "category": "network",
+ "constraints": {
+ "at_least_one": [
+ "connection_info",
+ "session",
+ "src_endpoint",
+ "traffic",
+ "tunnel_interface",
+ "tunnel_type_id"
+ ]
+ },
+ "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.",
+ "extends": "network",
+ "name": "tunnel_activity",
+ "profiles": [
+ "host",
+ "network_proxy",
+ "security_control",
+ "load_balancer"
+ ],
+ "uid": 14
+ },
+ "user_access": {
+ "attributes": {
+ "activity_id": {
+ "caption": "Activity ID",
+ "description": "The normalized identifier of the activity that triggered the event.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Assign Privileges",
+ "description": "Assign privileges to a user."
+ },
+ "2": {
+ "caption": "Revoke Privileges",
+ "description": "Revoke privileges from a user."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "activity_name",
+ "type": "integer_t"
+ },
+ "activity_name": {
+ "caption": "Activity",
+ "description": "The event activity name, as defined by the activity_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "actor": {
+ "caption": "Actor",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "requirement": "optional",
+ "type": "actor"
+ },
+ "api": {
+ "caption": "API Details",
+ "description": "Describes details about a typical API (Application Programming Interface) call.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "api"
+ },
+ "category_name": {
+ "caption": "Category",
+ "description": "The event category name, as defined by category_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "category_uid": {
+ "caption": "Category ID",
+ "description": "The category unique identifier of the event.",
+ "enum": {
+ "3": {
+ "caption": "Identity & Access Management",
+ "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc."
+ }
+ },
+ "requirement": "required",
+ "sibling": "category_name",
+ "type": "integer_t"
+ },
+ "class_name": {
+ "caption": "Class",
+ "description": "The event class name, as defined by class_uid value.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "class_uid": {
+ "caption": "Class ID",
+ "description": "The unique identifier of a class. A class describes the attributes available in an event.",
+ "enum": {
+ "3005": {
+ "caption": "User Access Management",
+ "description": "User Access Management events report management updates to a user's privileges."
+ }
+ },
+ "requirement": "required",
+ "sibling": "class_name",
+ "type": "integer_t"
+ },
+ "cloud": {
+ "caption": "Cloud",
+ "description": "Describes details about the Cloud environment where the event was originally created or logged.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "cloud"
+ },
+ "confidence": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Confidence",
+ "description": "The confidence of the reported event severity as a percentage: 0%-100%.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "count": {
+ "caption": "Count",
+ "default": 1,
+ "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "data": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Data",
+ "description": "Additional data that is associated with the event.",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "duration": {
+ "caption": "Duration",
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
+ "requirement": "optional",
+ "type": "long_t"
+ },
+ "end_time": {
+ "caption": "End Time",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "enrichments": {
+ "caption": "Enrichments",
+ "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]",
+ "group": "context",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "enrichment"
+ },
+ "http_request": {
+ "caption": "HTTP Request",
+ "description": "Details about the underlying HTTP request.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "http_request"
+ },
+ "message": {
+ "caption": "Message",
+ "description": "The description of the event/finding, as defined by the source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "metadata": {
+ "caption": "Metadata",
+ "description": "The metadata associated with the event or a finding.",
+ "group": "context",
+ "requirement": "required",
+ "type": "metadata"
+ },
+ "observables": {
+ "caption": "Observables",
+ "description": "The observables associated with the event or a finding.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "observable"
+ },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "privileges": {
+ "caption": "Privileges",
+ "description": "List of privileges assigned to a user.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique idenifier for the event",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "resource": {
+ "caption": "Resource",
+ "description": "Resource that the privileges give access to.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "resource_details"
+ },
+ "severity": {
+ "caption": "Severity",
+ "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "group": "classification",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "severity_id": {
+ "caption": "Severity ID",
+ "description": "The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See theseverity attribute, which contains a data source specific value."
+ }
+ },
+ "group": "classification",
+ "requirement": "required",
+ "sibling": "severity",
+ "type": "integer_t"
+ },
+ "src_endpoint": {
+ "caption": "Source Endpoint",
+ "description": "Details about the source of the IAM activity.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "network_endpoint"
+ },
+ "start_time": {
+ "caption": "Start Time",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
+ "status": {
+ "caption": "Status",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status_code": {
+ "caption": "Status Code",
+ "description": "The event status code, as reported by the event source.bytes_in and bytes_out.",
- "group": "context",
- "requirement": "optional",
- "type": "network_traffic"
- },
- "tunnel_interface": {
- "caption": "Tunnel Interface",
- "description": "The information about the virtual tunnel interface, e.g. utun0. This is usually associated with the private (rfc-1918) ip of the tunnel.",
- "group": "primary",
- "requirement": "recommended",
- "type": "network_interface"
- },
- "tunnel_type": {
- "caption": "Type",
- "description": "The tunnel type. Example: Split or Full.",
- "group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "tunnel_type_id": {
- "caption": "Type",
- "description": "The normalized tunnel type ID.",
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "caption": "Split Tunnel"
- },
- "2": {
- "caption": "Full Tunnel"
- },
- "99": {
- "caption": "Other"
- }
- },
- "group": "primary",
- "requirement": "recommended",
- "sibling": "tunnel_type",
- "type": "integer_t"
- },
"type_name": {
"caption": "Type Name",
"description": "The event/finding type name, as defined by the type_uid.",
@@ -31290,20 +35680,17 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "401400": {
- "caption": "Tunnel Activity: Unknown"
- },
- "401401": {
- "caption": "Tunnel Activity: Open"
+ "300500": {
+ "caption": "User Access Management: Unknown"
},
- "401402": {
- "caption": "Tunnel Activity: Close"
+ "300501": {
+ "caption": "User Access Management: Assign Privileges"
},
- "401403": {
- "caption": "Tunnel Activity: Renew"
+ "300502": {
+ "caption": "User Access Management: Revoke Privileges"
},
- "401499": {
- "caption": "Tunnel Activity: Other"
+ "300599": {
+ "caption": "User Access Management: Other"
}
},
"requirement": "required",
@@ -31320,37 +35707,24 @@
},
"user": {
"caption": "User",
- "description": "The user associated with the tunnel activity.",
+ "description": "User to which privileges were assigned.",
"group": "primary",
"observable": 21,
- "requirement": "recommended",
+ "requirement": "required",
"type": "user"
}
},
- "caption": "Tunnel Activity",
- "category": "network",
- "constraints": {
- "at_least_one": [
- "connection_info",
- "session",
- "src_endpoint",
- "traffic",
- "tunnel_interface",
- "tunnel_type_id"
- ]
- },
- "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.",
- "extends": "network",
- "name": "tunnel_activity",
+ "caption": "User Access Management",
+ "category": "iam",
+ "description": "User Access Management events report management updates to a user's privileges.",
+ "extends": "iam",
+ "name": "user_access",
"profiles": [
- "host",
- "network_proxy",
- "security_control",
- "load_balancer"
+ "host"
],
- "uid": 14
+ "uid": 5
},
- "user_access": {
+ "user_inventory": {
"attributes": {
"activity_id": {
"caption": "Activity ID",
@@ -31361,12 +35735,12 @@
"description": "The event activity is unknown."
},
"1": {
- "caption": "Assign Privileges",
- "description": "Assign privileges to a user."
+ "caption": "Log",
+ "description": "The discovered information is via a log."
},
"2": {
- "caption": "Revoke Privileges",
- "description": "Revoke privileges from a user."
+ "caption": "Collect",
+ "description": "The discovered information is via a collection process."
},
"99": {
"caption": "Other",
@@ -31385,7 +35759,8 @@
},
"actor": {
"caption": "Actor",
- "description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.",
+ "group": "context",
"requirement": "optional",
"type": "actor"
},
@@ -31406,9 +35781,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "3": {
- "caption": "Identity & Access Management",
- "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc."
+ "5": {
+ "caption": "Discovery",
+ "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
}
},
"requirement": "required",
@@ -31425,9 +35800,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "3005": {
- "caption": "User Access Management",
- "description": "User Access Management events report management updates to a user's privileges."
+ "5003": {
+ "caption": "User Inventory Info",
+ "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries."
}
},
"requirement": "required",
@@ -31441,6 +35816,17 @@
"requirement": "required",
"type": "cloud"
},
+ "command_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Command UID",
+ "description": "The unique identifier of the discovery command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
"confidence": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -31469,17 +35855,11 @@
"requirement": "optional",
"type": "json_t"
},
- "device": {
- "caption": "Device",
- "description": "An addressable device, computer system or host.",
- "requirement": "recommended",
- "type": "device"
- },
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -31495,13 +35875,6 @@
"requirement": "optional",
"type": "enrichment"
},
- "http_request": {
- "caption": "HTTP Request",
- "description": "Details about the underlying HTTP request.",
- "group": "context",
- "requirement": "optional",
- "type": "http_request"
- },
"message": {
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
@@ -31524,13 +35897,13 @@
"requirement": "recommended",
"type": "observable"
},
- "privileges": {
- "caption": "Privileges",
- "description": "List of privileges assigned to a user.",
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"group": "primary",
"is_array": true,
"requirement": "required",
- "type": "string_t"
+ "type": "osint"
},
"raw_data": {
"caption": "Raw Data",
@@ -31546,12 +35919,16 @@
"requirement": "required",
"type": "string_t"
},
- "resource": {
- "caption": "Resource",
- "description": "Resource that the privileges give access to.",
+ "scan_uid": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Scan UID",
+ "description": "The unique identifier of the discovery scan request that pertains to this event.",
"group": "primary",
- "requirement": "recommended",
- "type": "resource_details"
+ "requirement": "optional",
+ "type": "string_t"
},
"severity": {
"caption": "Severity",
@@ -31602,13 +35979,6 @@
"sibling": "severity",
"type": "integer_t"
},
- "src_endpoint": {
- "caption": "Source Endpoint",
- "description": "Details about the source of the IAM activity.",
- "group": "primary",
- "requirement": "recommended",
- "type": "network_endpoint"
- },
"start_time": {
"caption": "Start Time",
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
@@ -31631,7 +36001,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -31682,17 +36052,17 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "300500": {
- "caption": "User Access Management: Unknown"
+ "500300": {
+ "caption": "User Inventory Info: Unknown"
},
- "300501": {
- "caption": "User Access Management: Assign Privileges"
+ "500301": {
+ "caption": "User Inventory Info: Log"
},
- "300502": {
- "caption": "User Access Management: Revoke Privileges"
+ "500302": {
+ "caption": "User Inventory Info: Collect"
},
- "300599": {
- "caption": "User Access Management: Other"
+ "500399": {
+ "caption": "User Inventory Info: Other"
}
},
"requirement": "required",
@@ -31709,24 +36079,26 @@
},
"user": {
"caption": "User",
- "description": "User to which privileges were assigned.",
+ "description": "The user that is being discovered by an inventory process.",
"group": "primary",
"observable": 21,
"requirement": "required",
"type": "user"
}
},
- "caption": "User Access Management",
- "category": "iam",
- "description": "User Access Management events report management updates to a user's privileges.",
- "extends": "iam",
- "name": "user_access",
+ "caption": "User Inventory Info",
+ "category": "discovery",
+ "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.",
+ "extends": "discovery",
+ "name": "user_inventory",
"profiles": [
- "host"
+ "cloud",
+ "datetime",
+ "osint"
],
- "uid": 5
+ "uid": 3
},
- "user_inventory": {
+ "user_query": {
"attributes": {
"activity_id": {
"caption": "Activity ID",
@@ -31737,12 +36109,24 @@
"description": "The event activity is unknown."
},
"1": {
- "caption": "Log",
- "description": "The discovered information is via a log."
+ "caption": "Query",
+ "description": "The target was found."
},
"2": {
- "caption": "Collect",
- "description": "The discovered information is via a collection process."
+ "caption": "Partial",
+ "description": "The target was partially found."
+ },
+ "3": {
+ "caption": "Does not exist",
+ "description": "The target was not found."
+ },
+ "4": {
+ "caption": "Error",
+ "description": "The discovery attempt failed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "Discovery of the target was not supported."
},
"99": {
"caption": "Other",
@@ -31761,8 +36145,7 @@
},
"actor": {
"caption": "Actor",
- "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.",
- "group": "context",
+ "description": "The actor object describes details about the user/role/process that was the source of the activity.",
"requirement": "optional",
"type": "actor"
},
@@ -31802,9 +36185,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "5003": {
- "caption": "User Inventory Info",
- "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries."
+ "5018": {
+ "caption": "User Query",
+ "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes."
}
},
"requirement": "required",
@@ -31857,11 +36240,17 @@
"requirement": "optional",
"type": "json_t"
},
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -31899,6 +36288,66 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "query_info": {
+ "caption": "Query Info",
+ "description": "The search details associated with the query request.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "query_info"
+ },
+ "query_result": {
+ "caption": "Query Result",
+ "description": "The result of the query.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "query_result_id": {
+ "caption": "Query Result ID",
+ "description": "The normalized identifier of the query result.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The query result is unknown."
+ },
+ "1": {
+ "caption": "Exists",
+ "description": "The target was found."
+ },
+ "2": {
+ "caption": "Partial",
+ "description": "The target was partially found."
+ },
+ "3": {
+ "caption": "Does not exist",
+ "description": "The target was not found."
+ },
+ "4": {
+ "caption": "Error",
+ "description": "The discovery attempt failed."
+ },
+ "5": {
+ "caption": "Unsupported",
+ "description": "Discovery of the target was not supported."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value."
+ }
+ },
+ "group": "primary",
+ "requirement": "required",
+ "sibling": "query_result",
+ "type": "integer_t"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -31995,7 +36444,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -32046,17 +36495,26 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "500300": {
- "caption": "User Inventory Info: Unknown"
+ "501800": {
+ "caption": "User Query: Unknown"
},
- "500301": {
- "caption": "User Inventory Info: Log"
+ "501801": {
+ "caption": "User Query: Query"
},
- "500302": {
- "caption": "User Inventory Info: Collect"
+ "501802": {
+ "caption": "User Query: Partial"
},
- "500399": {
- "caption": "User Inventory Info: Other"
+ "501803": {
+ "caption": "User Query: Does not exist"
+ },
+ "501804": {
+ "caption": "User Query: Error"
+ },
+ "501805": {
+ "caption": "User Query: Unsupported"
+ },
+ "501899": {
+ "caption": "User Query: Other"
}
},
"requirement": "required",
@@ -32073,53 +36531,44 @@
},
"user": {
"caption": "User",
- "description": "The user that is being discovered by an inventory process.",
+ "description": "The user that pertains to the event or object.",
"group": "primary",
"observable": 21,
"requirement": "required",
"type": "user"
}
},
- "caption": "User Inventory Info",
+ "caption": "User Query",
"category": "discovery",
- "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.",
- "extends": "discovery",
- "name": "user_inventory",
+ "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.",
+ "extends": "discovery_result",
+ "name": "user_query",
"profiles": [
- "cloud",
- "datetime"
+ "host"
],
- "uid": 3
+ "uid": 18
},
- "user_query": {
+ "vulnerability_finding": {
"attributes": {
"activity_id": {
"caption": "Activity ID",
- "description": "The normalized identifier of the activity that triggered the event.",
+ "description": "The normalized identifier of the finding activity.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
"1": {
- "caption": "Query",
- "description": "The target was found."
+ "caption": "Create",
+ "description": "A finding was created."
},
"2": {
- "caption": "Partial",
- "description": "The target was partially found."
+ "caption": "Update",
+ "description": "A finding was updated."
},
"3": {
- "caption": "Does not exist",
- "description": "The target was not found."
- },
- "4": {
- "caption": "Error",
- "description": "The discovery attempt failed."
- },
- "5": {
- "caption": "Unsupported",
- "description": "Discovery of the target was not supported."
+ "caption": "Close",
+ "description": "A finding was closed."
},
"99": {
"caption": "Other",
@@ -32132,7 +36581,7 @@
},
"activity_name": {
"caption": "Activity",
- "description": "The event activity name, as defined by the activity_id.",
+ "description": "The finding activity name, as defined by the activity_id.",
"requirement": "optional",
"type": "string_t"
},
@@ -32159,9 +36608,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "5": {
- "caption": "Discovery",
- "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
+ "2": {
+ "caption": "Findings",
+ "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products."
}
},
"requirement": "required",
@@ -32178,9 +36627,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "5018": {
- "caption": "User Query",
- "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes."
+ "2002": {
+ "caption": "Vulnerability Finding",
+ "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source."
}
},
"requirement": "required",
@@ -32194,15 +36643,11 @@
"requirement": "required",
"type": "cloud"
},
- "command_uid": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "caption": "Command UID",
- "description": "The unique identifier of the discovery command that pertains to this event.",
- "group": "primary",
- "requirement": "required",
+ "comment": {
+ "caption": "Comment",
+ "description": "A user provided comment about the finding.",
+ "group": "context",
+ "requirement": "optional",
"type": "string_t"
},
"confidence": {
@@ -32212,7 +36657,40 @@
},
"caption": "Confidence",
"description": "The confidence of the reported event severity as a percentage: 0%-100%.",
- "group": "classification",
+ "group": "context",
+ "requirement": "optional",
+ "type": "integer_t"
+ },
+ "confidence_id": {
+ "caption": "Confidence Id",
+ "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The normalized confidence is unknown."
+ },
+ "1": {
+ "caption": "Low"
+ },
+ "2": {
+ "caption": "Medium"
+ },
+ "3": {
+ "caption": "High"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value."
+ }
+ },
+ "group": "context",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "confidence_score": {
+ "caption": "Confidence Score",
+ "description": "The confidence score as reported by the event source.",
+ "group": "context",
"requirement": "optional",
"type": "integer_t"
},
@@ -32236,6 +36714,7 @@
"device": {
"caption": "Device",
"description": "An addressable device, computer system or host.",
+ "group": "primary",
"requirement": "recommended",
"type": "device"
},
@@ -32243,11 +36722,11 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
- "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
+ "description": "The time of the most recent event included in the finding.",
"requirement": "optional",
"type": "timestamp_t"
},
@@ -32259,6 +36738,13 @@
"requirement": "optional",
"type": "enrichment"
},
+ "finding_info": {
+ "caption": "Finding Information",
+ "description": "Describes the supporting information about a generated finding.",
+ "group": "primary",
+ "requirement": "required",
+ "type": "finding_info"
+ },
"message": {
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
@@ -32281,57 +36767,13 @@
"requirement": "recommended",
"type": "observable"
},
- "query_info": {
- "caption": "Query Info",
- "description": "The search details associated with the query request.",
- "group": "primary",
- "requirement": "recommended",
- "type": "query_info"
- },
- "query_result": {
- "caption": "Query Result",
- "description": "The result of the query.",
- "group": "primary",
- "requirement": "recommended",
- "type": "string_t"
- },
- "query_result_id": {
- "caption": "Query Result ID",
- "description": "The normalized identifier of the query result.",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The query result is unknown."
- },
- "1": {
- "caption": "Exists",
- "description": "The target was found."
- },
- "2": {
- "caption": "Partial",
- "description": "The target was partially found."
- },
- "3": {
- "caption": "Does not exist",
- "description": "The target was not found."
- },
- "4": {
- "caption": "Error",
- "description": "The discovery attempt failed."
- },
- "5": {
- "caption": "Unsupported",
- "description": "Discovery of the target was not supported."
- },
- "99": {
- "caption": "Other",
- "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value."
- }
- },
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"group": "primary",
+ "is_array": true,
"requirement": "required",
- "sibling": "query_result",
- "type": "integer_t"
+ "type": "osint"
},
"raw_data": {
"caption": "Raw Data",
@@ -32347,16 +36789,24 @@
"requirement": "required",
"type": "string_t"
},
- "scan_uid": {
+ "resource": {
"@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
+ "message": "Use the resources attribute instead.",
+ "since": "1.3.0"
},
- "caption": "Scan UID",
- "description": "The unique identifier of the discovery scan request that pertains to this event.",
+ "caption": "Resource",
+ "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
"group": "primary",
- "requirement": "optional",
- "type": "string_t"
+ "requirement": "recommended",
+ "type": "resource_details"
+ },
+ "resources": {
+ "caption": "Affected Resources",
+ "description": "Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "resource_details"
},
"severity": {
"caption": "Severity",
@@ -32409,15 +36859,15 @@
},
"start_time": {
"caption": "Start Time",
- "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
+ "description": "The time of the least recent event included in the finding.",
"requirement": "optional",
"type": "timestamp_t"
},
"status": {
"caption": "Status",
- "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
- "group": "primary",
- "requirement": "recommended",
+ "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.",
+ "group": "context",
+ "requirement": "optional",
"type": "string_t"
},
"status_code": {
@@ -32429,31 +36879,41 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
},
"status_id": {
"caption": "Status ID",
- "description": "The normalized identifier of the event status.",
+ "description": "The normalized status identifier of the Finding, set by the consumer.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The status is unknown."
},
"1": {
- "caption": "Success"
+ "caption": "New",
+ "description": "The Finding is new and yet to be reviewed."
},
"2": {
- "caption": "Failure"
+ "caption": "In Progress",
+ "description": "The Finding is under review."
+ },
+ "3": {
+ "caption": "Suppressed",
+ "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed."
+ },
+ "4": {
+ "caption": "Resolved",
+ "description": "The Finding was reviewed, remediated and is now considered resolved."
},
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
}
},
- "group": "primary",
+ "group": "context",
"requirement": "recommended",
"sibling": "status",
"type": "integer_t"
@@ -32480,26 +36940,20 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "501800": {
- "caption": "User Query: Unknown"
- },
- "501801": {
- "caption": "User Query: Query"
- },
- "501802": {
- "caption": "User Query: Partial"
+ "200200": {
+ "caption": "Vulnerability Finding: Unknown"
},
- "501803": {
- "caption": "User Query: Does not exist"
+ "200201": {
+ "caption": "Vulnerability Finding: Create"
},
- "501804": {
- "caption": "User Query: Error"
+ "200202": {
+ "caption": "Vulnerability Finding: Update"
},
- "501805": {
- "caption": "User Query: Unsupported"
+ "200203": {
+ "caption": "Vulnerability Finding: Close"
},
- "501899": {
- "caption": "User Query: Other"
+ "200299": {
+ "caption": "Vulnerability Finding: Other"
}
},
"requirement": "required",
@@ -32514,46 +36968,54 @@
"requirement": "optional",
"type": "unmapped"
},
- "user": {
- "caption": "User",
- "description": "The user that pertains to the event or object.",
+ "vulnerabilities": {
+ "caption": "Vulnerabilities",
+ "description": "This object describes vulnerabilities reported in a security finding.",
"group": "primary",
- "observable": 21,
+ "is_array": true,
"requirement": "required",
- "type": "user"
+ "type": "vulnerability"
}
},
- "caption": "User Query",
- "category": "discovery",
- "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.",
- "extends": "discovery_result",
- "name": "user_query",
+ "caption": "Vulnerability Finding",
+ "category": "findings",
+ "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.",
+ "extends": "finding",
+ "name": "vulnerability_finding",
"profiles": [
"host"
],
- "uid": 18
+ "uid": 2
},
- "vulnerability_finding": {
+ "web_resource_access_activity": {
+ "@deprecated": {
+ "message": "Use the Web Resources Activity class with the Security Control and/or Network Proxy profile instead.",
+ "since": "1.0.0"
+ },
"attributes": {
"activity_id": {
"caption": "Activity ID",
- "description": "The normalized identifier of the finding activity.",
+ "description": "The normalized identifier of the activity that triggered the event.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
- "1": {
- "caption": "Create",
- "description": "A finding was created."
+ "1": {
+ "caption": "Access Grant",
+ "description": "The incoming request has permission to the web resource."
},
"2": {
- "caption": "Update",
- "description": "A finding was updated."
+ "caption": "Access Deny",
+ "description": "The incoming request does not have permission to the web resource."
},
"3": {
- "caption": "Close",
- "description": "A finding was closed."
+ "caption": "Access Revoke",
+ "description": "The incoming request's access has been revoked due to security policy enforcements."
+ },
+ "4": {
+ "caption": "Access Error",
+ "description": "An error occurred during processing the request."
},
"99": {
"caption": "Other",
@@ -32566,11 +37028,15 @@
},
"activity_name": {
"caption": "Activity",
- "description": "The finding activity name, as defined by the activity_id.",
+ "description": "The event activity name, as defined by the activity_id.",
"requirement": "optional",
"type": "string_t"
},
"actor": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
"caption": "Actor",
"description": "The actor object describes details about the user/role/process that was the source of the activity.",
"requirement": "optional",
@@ -32593,9 +37059,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "2": {
- "caption": "Findings",
- "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products."
+ "6": {
+ "caption": "Application Activity",
+ "description": "Application Activity events report detailed information about the behavior of applications and services."
}
},
"requirement": "required",
@@ -32612,9 +37078,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "2002": {
- "caption": "Vulnerability Finding",
- "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source."
+ "6004": {
+ "caption": "Web Resource Access Activity",
+ "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP."
}
},
"requirement": "required",
@@ -32628,13 +37094,6 @@
"requirement": "required",
"type": "cloud"
},
- "comment": {
- "caption": "Comment",
- "description": "A user provided comment about the finding.",
- "group": "context",
- "requirement": "optional",
- "type": "string_t"
- },
"confidence": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -32642,40 +37101,7 @@
},
"caption": "Confidence",
"description": "The confidence of the reported event severity as a percentage: 0%-100%.",
- "group": "context",
- "requirement": "optional",
- "type": "integer_t"
- },
- "confidence_id": {
- "caption": "Confidence Id",
- "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The normalized confidence is unknown."
- },
- "1": {
- "caption": "Low"
- },
- "2": {
- "caption": "Medium"
- },
- "3": {
- "caption": "High"
- },
- "99": {
- "caption": "Other",
- "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value."
- }
- },
- "group": "context",
- "requirement": "recommended",
- "type": "integer_t"
- },
- "confidence_score": {
- "caption": "Confidence Score",
- "description": "The confidence score as reported by the event source.",
- "group": "context",
+ "group": "classification",
"requirement": "optional",
"type": "integer_t"
},
@@ -32697,9 +37123,12 @@
"type": "json_t"
},
"device": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
"caption": "Device",
"description": "An addressable device, computer system or host.",
- "group": "primary",
"requirement": "recommended",
"type": "device"
},
@@ -32707,11 +37136,11 @@
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
- "description": "The time of the most recent event included in the finding.",
+ "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
"requirement": "optional",
"type": "timestamp_t"
},
@@ -32723,12 +37152,19 @@
"requirement": "optional",
"type": "enrichment"
},
- "finding_info": {
- "caption": "Finding Information",
- "description": "Describes the supporting information about a generated finding.",
- "group": "primary",
+ "http_request": {
+ "caption": "HTTP Request",
+ "description": "Details about the underlying HTTP request.",
+ "group": "context",
"requirement": "required",
- "type": "finding_info"
+ "type": "http_request"
+ },
+ "http_response": {
+ "caption": "HTTP Response",
+ "description": "Details about the HTTP response, if available.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "http_response"
},
"message": {
"caption": "Message",
@@ -32752,6 +37188,61 @@
"requirement": "recommended",
"type": "observable"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
+ },
+ "proxy": {
+ "@deprecated": {
+ "message": "Use the proxy_endpoint attribute instead.",
+ "since": "1.1.0"
+ },
+ "caption": "Proxy",
+ "description": "Details about the proxy service, if available.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "network_proxy"
+ },
+ "proxy_connection_info": {
+ "caption": "Proxy Connection Info",
+ "description": "The connection information from the proxy server to the remote server.",
+ "requirement": "recommended",
+ "type": "network_connection_info"
+ },
+ "proxy_endpoint": {
+ "caption": "Proxy Endpoint",
+ "description": "The proxy (server) in a network connection.",
+ "requirement": "optional",
+ "type": "network_proxy"
+ },
+ "proxy_http_request": {
+ "caption": "Proxy HTTP Request",
+ "description": "The HTTP Request from the proxy server to the remote server.",
+ "requirement": "optional",
+ "type": "http_request"
+ },
+ "proxy_http_response": {
+ "caption": "Proxy HTTP Response",
+ "description": "The HTTP Response from the remote server to the proxy server.",
+ "requirement": "optional",
+ "type": "http_response"
+ },
+ "proxy_tls": {
+ "caption": "Proxy TLS",
+ "description": "The TLS protocol negotiated between the proxy server and the remote server.",
+ "requirement": "recommended",
+ "type": "tls"
+ },
+ "proxy_traffic": {
+ "caption": "Proxy Traffic",
+ "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
+ "requirement": "recommended",
+ "type": "network_traffic"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -32766,13 +37257,6 @@
"requirement": "required",
"type": "string_t"
},
- "resource": {
- "caption": "Resource",
- "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.",
- "group": "primary",
- "requirement": "recommended",
- "type": "resource_details"
- },
"severity": {
"caption": "Severity",
"description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
@@ -32822,17 +37306,24 @@
"sibling": "severity",
"type": "integer_t"
},
+ "src_endpoint": {
+ "caption": "Source Endpoint",
+ "description": "Details about the source endpoint of the request.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "network_endpoint"
+ },
"start_time": {
"caption": "Start Time",
- "description": "The time of the least recent event included in the finding.",
+ "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
"requirement": "optional",
"type": "timestamp_t"
},
"status": {
"caption": "Status",
- "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.",
- "group": "context",
- "requirement": "optional",
+ "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "group": "primary",
+ "requirement": "recommended",
"type": "string_t"
},
"status_code": {
@@ -32844,41 +37335,31 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
},
"status_id": {
"caption": "Status ID",
- "description": "The normalized status identifier of the Finding, set by the consumer.",
+ "description": "The normalized identifier of the event status.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The status is unknown."
},
"1": {
- "caption": "New",
- "description": "The Finding is new and yet to be reviewed."
+ "caption": "Success"
},
"2": {
- "caption": "In Progress",
- "description": "The Finding is under review."
- },
- "3": {
- "caption": "Suppressed",
- "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed."
- },
- "4": {
- "caption": "Resolved",
- "description": "The Finding was reviewed, remediated and is now considered resolved."
+ "caption": "Failure"
},
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the status attribute, which contains a data source specific value."
}
},
- "group": "context",
+ "group": "primary",
"requirement": "recommended",
"sibling": "status",
"type": "integer_t"
@@ -32895,6 +37376,13 @@
"requirement": "recommended",
"type": "integer_t"
},
+ "tls": {
+ "caption": "TLS",
+ "description": "The Transport Layer Security (TLS) attributes, if available.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "tls"
+ },
"type_name": {
"caption": "Type Name",
"description": "The event/finding type name, as defined by the type_uid.",
@@ -32905,20 +37393,23 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "200200": {
- "caption": "Vulnerability Finding: Unknown"
+ "600400": {
+ "caption": "Web Resource Access Activity: Unknown"
},
- "200201": {
- "caption": "Vulnerability Finding: Create"
+ "600401": {
+ "caption": "Web Resource Access Activity: Access Grant"
},
- "200202": {
- "caption": "Vulnerability Finding: Update"
+ "600402": {
+ "caption": "Web Resource Access Activity: Access Deny"
},
- "200203": {
- "caption": "Vulnerability Finding: Close"
+ "600403": {
+ "caption": "Web Resource Access Activity: Access Revoke"
},
- "200299": {
- "caption": "Vulnerability Finding: Other"
+ "600404": {
+ "caption": "Web Resource Access Activity: Access Error"
+ },
+ "600499": {
+ "caption": "Web Resource Access Activity: Other"
}
},
"requirement": "required",
@@ -32933,31 +37424,59 @@
"requirement": "optional",
"type": "unmapped"
},
- "vulnerabilities": {
- "caption": "Vulnerabilities",
- "description": "This object describes vulnerabilities reported in a security finding.",
+ "web_resources": {
+ "caption": "Web Resources",
+ "description": "Details about the resource that is the target of the activity.",
"group": "primary",
"is_array": true,
"requirement": "required",
- "type": "vulnerability"
+ "type": "web_resource"
}
},
- "caption": "Vulnerability Finding",
- "category": "findings",
- "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.",
- "extends": "finding",
- "name": "vulnerability_finding",
+ "caption": "Web Resource Access Activity",
+ "category": "application",
+ "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.",
+ "extends": "application",
+ "name": "web_resource_access_activity",
"profiles": [
- "host"
+ "host",
+ "network_proxy"
],
- "uid": 2
+ "uid": 4
},
- "web_resource_access_activity": {
- "@deprecated": {
- "message": "Use the Web Resources Activity class with the Security Control and/or Network Proxy profile instead.",
- "since": "1.0.0"
- },
+ "web_resources_activity": {
"attributes": {
+ "action": {
+ "caption": "Action",
+ "description": "The normalized caption of action_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "action_id": {
+ "caption": "Action ID",
+ "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'."
+ },
+ "1": {
+ "caption": "Allowed",
+ "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc."
+ },
+ "2": {
+ "caption": "Denied",
+ "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The action was not mapped. See the action attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "action",
+ "type": "integer_t"
+ },
"activity_id": {
"caption": "Activity ID",
"description": "The normalized identifier of the activity that triggered the event.",
@@ -32967,20 +37486,36 @@
"description": "The event activity is unknown."
},
"1": {
- "caption": "Access Grant",
- "description": "The incoming request has permission to the web resource."
+ "caption": "Create",
+ "description": "One or more web resources were created."
},
"2": {
- "caption": "Access Deny",
- "description": "The incoming request does not have permission to the web resource."
+ "caption": "Read",
+ "description": "One or more web resources were read / viewed."
},
"3": {
- "caption": "Access Revoke",
- "description": "The incoming request's access has been revoked due to security policy enforcements."
+ "caption": "Update",
+ "description": "One or more web resources were updated."
},
"4": {
- "caption": "Access Error",
- "description": "An error occurred during processing the request."
+ "caption": "Delete",
+ "description": "One or more web resources were deleted."
+ },
+ "5": {
+ "caption": "Search",
+ "description": "A search was performed on one or more web resources."
+ },
+ "6": {
+ "caption": "Import",
+ "description": "One or more web resources were imported into an Application."
+ },
+ "7": {
+ "caption": "Export",
+ "description": "One or more web resources were exported from an Application."
+ },
+ "8": {
+ "caption": "Share",
+ "description": "One or more web resources were shared."
},
"99": {
"caption": "Other",
@@ -32998,10 +37533,6 @@
"type": "string_t"
},
"actor": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"caption": "Actor",
"description": "The actor object describes details about the user/role/process that was the source of the activity.",
"requirement": "optional",
@@ -33014,6 +37545,20 @@
"requirement": "optional",
"type": "api"
},
+ "attacks": {
+ "caption": "MITRE ATT&CK\u00ae Details",
+ "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "attack"
+ },
+ "authorizations": {
+ "caption": "Authorization Information",
+ "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "authorization"
+ },
"category_name": {
"caption": "Category",
"description": "The event category name, as defined by category_uid value.",
@@ -33043,9 +37588,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "6004": {
- "caption": "Web Resource Access Activity",
- "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP."
+ "6001": {
+ "caption": "Web Resources Activity",
+ "description": "Web Resources Activity events describe actions executed on a set of Web Resources."
}
},
"requirement": "required",
@@ -33088,20 +37633,154 @@
"type": "json_t"
},
"device": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"caption": "Device",
"description": "An addressable device, computer system or host.",
"requirement": "recommended",
"type": "device"
},
+ "disposition": {
+ "caption": "Disposition",
+ "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "disposition_id": {
+ "caption": "Disposition ID",
+ "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The disposition was not known."
+ },
+ "1": {
+ "caption": "Allowed",
+ "description": "Granted access or allowed the action to the protected resource."
+ },
+ "10": {
+ "caption": "Exonerated",
+ "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
+ },
+ "11": {
+ "caption": "Corrected",
+ "description": "A corrupt file or configuration was corrected."
+ },
+ "12": {
+ "caption": "Partially Corrected",
+ "description": "A corrupt file or configuration was partially corrected."
+ },
+ "13": {
+ "caption": "Uncorrected",
+ "description": "A corrupt file or configuration was not corrected."
+ },
+ "14": {
+ "caption": "Delayed",
+ "description": "An operation was delayed, for example if a restart was required to finish the operation."
+ },
+ "15": {
+ "caption": "Detected",
+ "description": "Suspicious activity or a policy violation was detected without further action."
+ },
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
+ "2": {
+ "caption": "Blocked",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
+ },
+ "3": {
+ "caption": "Quarantined",
+ "description": "A suspicious file or other content was moved to a benign location."
+ },
+ "4": {
+ "caption": "Isolated",
+ "description": "A session was isolated on the network or within a browser."
+ },
+ "5": {
+ "caption": "Deleted",
+ "description": "A file or other content was deleted."
+ },
+ "6": {
+ "caption": "Dropped",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
+ },
+ "7": {
+ "caption": "Custom Action",
+ "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
+ },
+ "8": {
+ "caption": "Approved",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "disposition",
+ "type": "integer_t"
+ },
+ "dst_endpoint": {
+ "caption": "Destination Endpoint",
+ "description": "Details about server providing the web resources.",
+ "group": "primary",
+ "requirement": "recommended",
+ "type": "network_endpoint"
+ },
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -33117,11 +37796,17 @@
"requirement": "optional",
"type": "enrichment"
},
+ "firewall_rule": {
+ "caption": "Firewall Rule",
+ "description": "The firewall rule that triggered the event.",
+ "requirement": "optional",
+ "type": "firewall_rule"
+ },
"http_request": {
"caption": "HTTP Request",
"description": "Details about the underlying HTTP request.",
"group": "context",
- "requirement": "required",
+ "requirement": "recommended",
"type": "http_request"
},
"http_response": {
@@ -33131,6 +37816,13 @@
"requirement": "optional",
"type": "http_response"
},
+ "malware": {
+ "caption": "Malware",
+ "description": "A list of Malware objects, describing details about the identified malware.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "malware"
+ },
"message": {
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
@@ -33153,16 +37845,13 @@
"requirement": "recommended",
"type": "observable"
},
- "proxy": {
- "@deprecated": {
- "message": "Use the proxy_endpoint attribute instead.",
- "since": "1.1.0"
- },
- "caption": "Proxy",
- "description": "Details about the proxy service, if available.",
- "group": "context",
- "requirement": "optional",
- "type": "network_proxy"
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
},
"proxy_connection_info": {
"caption": "Proxy Connection Info",
@@ -33265,7 +37954,7 @@
},
"src_endpoint": {
"caption": "Source Endpoint",
- "description": "Details about the source endpoint of the request.",
+ "description": "Details about the endpoint from which the request originated.",
"group": "primary",
"requirement": "recommended",
"type": "network_endpoint"
@@ -33292,7 +37981,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -33350,23 +38039,35 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "600400": {
- "caption": "Web Resource Access Activity: Unknown"
+ "600100": {
+ "caption": "Web Resources Activity: Unknown"
},
- "600401": {
- "caption": "Web Resource Access Activity: Access Grant"
+ "600101": {
+ "caption": "Web Resources Activity: Create"
},
- "600402": {
- "caption": "Web Resource Access Activity: Access Deny"
+ "600102": {
+ "caption": "Web Resources Activity: Read"
},
- "600403": {
- "caption": "Web Resource Access Activity: Access Revoke"
+ "600103": {
+ "caption": "Web Resources Activity: Update"
},
- "600404": {
- "caption": "Web Resource Access Activity: Access Error"
+ "600104": {
+ "caption": "Web Resources Activity: Delete"
},
- "600499": {
- "caption": "Web Resource Access Activity: Other"
+ "600105": {
+ "caption": "Web Resources Activity: Search"
+ },
+ "600106": {
+ "caption": "Web Resources Activity: Import"
+ },
+ "600107": {
+ "caption": "Web Resources Activity: Export"
+ },
+ "600108": {
+ "caption": "Web Resources Activity: Share"
+ },
+ "600199": {
+ "caption": "Web Resources Activity: Other"
}
},
"requirement": "required",
@@ -33383,25 +38084,42 @@
},
"web_resources": {
"caption": "Web Resources",
- "description": "Details about the resource that is the target of the activity.",
+ "description": "Describes details about web resources that were affected by an activity/event.",
"group": "primary",
"is_array": true,
"requirement": "required",
"type": "web_resource"
+ },
+ "web_resources_result": {
+ "caption": "Web Resources Result",
+ "description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "web_resource"
}
},
- "caption": "Web Resource Access Activity",
+ "caption": "Web Resources Activity",
"category": "application",
- "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.",
- "extends": "application",
- "name": "web_resource_access_activity",
+ "description": "Web Resources Activity events describe actions executed on a set of Web Resources.",
+ "extends": "base_event",
+ "name": "web_resources_activity",
"profiles": [
"host",
- "network_proxy"
+ "network_proxy",
+ "security_control"
],
- "uid": 4
+ "uid": 1
},
- "web_resources_activity": {
+ "win_service_activity": {
+ "associations": {
+ "actor.user": [
+ "device"
+ ],
+ "device": [
+ "actor.user"
+ ]
+ },
"attributes": {
"action": {
"caption": "Action",
@@ -33444,35 +38162,31 @@
},
"1": {
"caption": "Create",
- "description": "One or more web resources were created."
+ "description": "A service is created, for example by calling CreateService. Refer to the win_service attribute for details."
},
"2": {
- "caption": "Read",
- "description": "One or more web resources were read / viewed."
+ "caption": "Reconfigure",
+ "description": "A service is reconfigured, for example by calling ChangeServiceConfig or ChangeServiceConfig2. Refer to the win_service attribute for details."
},
"3": {
- "caption": "Update",
- "description": "One or more web resources were updated."
+ "caption": "Start",
+ "description": "A stopped service is started, for example by calling StartService. Refer to the service attribute for details."
},
"4": {
- "caption": "Delete",
- "description": "One or more web resources were deleted."
+ "caption": "Stop",
+ "description": "A running or paused service is stopped, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
},
"5": {
- "caption": "Search",
- "description": "A search was performed on one or more web resources."
+ "caption": "Pause",
+ "description": "A running service is paused, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
},
"6": {
- "caption": "Import",
- "description": "One or more web resources were imported into an Application."
+ "caption": "Continue",
+ "description": "A paused service is continued, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
},
"7": {
- "caption": "Export",
- "description": "One or more web resources were exported from an Application."
- },
- "8": {
- "caption": "Share",
- "description": "One or more web resources were shared."
+ "caption": "Delete",
+ "description": "A service is deleted, for example by calling DeleteService. Refer to the win_service attribute for details."
},
"99": {
"caption": "Other",
@@ -33492,6 +38206,7 @@
"actor": {
"caption": "Actor",
"description": "The actor object describes details about the user/role/process that was the source of the activity.",
+ "group": "primary",
"requirement": "optional",
"type": "actor"
},
@@ -33526,9 +38241,9 @@
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"enum": {
- "6": {
- "caption": "Application Activity",
- "description": "Application Activity events report detailed information about the behavior of applications and services."
+ "1": {
+ "caption": "System Activity",
+ "description": "System Activity events."
}
},
"requirement": "required",
@@ -33545,9 +38260,9 @@
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"enum": {
- "6001": {
- "caption": "Web Resources Activity",
- "description": "Web Resources Activity events describe actions executed on a set of Web Resources."
+ "201004": {
+ "caption": "Windows Service Activity",
+ "description": "Windows Service Activity events report when a process interacts with the Service Control Manager."
}
},
"requirement": "required",
@@ -33592,6 +38307,7 @@
"device": {
"caption": "Device",
"description": "An addressable device, computer system or host.",
+ "group": "primary",
"requirement": "recommended",
"type": "device"
},
@@ -33615,7 +38331,7 @@
},
"10": {
"caption": "Exonerated",
- "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
+ "description": "Requires reboot to finish the operation."
},
"11": {
"caption": "Corrected",
@@ -33631,11 +38347,11 @@
},
"14": {
"caption": "Delayed",
- "description": "An operation was delayed, for example if a restart was required to finish the operation."
+ "description": "No longer suspicious (re-scored)."
},
"15": {
"caption": "Detected",
- "description": "Suspicious activity or a policy violation was detected without further action."
+ "description": "Marked with extended attributes."
},
"16": {
"caption": "No Action",
@@ -33726,18 +38442,11 @@
"sibling": "disposition",
"type": "integer_t"
},
- "dst_endpoint": {
- "caption": "Destination Endpoint",
- "description": "Details about server providing the web resources.",
- "group": "primary",
- "requirement": "recommended",
- "type": "network_endpoint"
- },
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"end_time": {
"caption": "End Time",
@@ -33759,20 +38468,6 @@
"requirement": "optional",
"type": "firewall_rule"
},
- "http_request": {
- "caption": "HTTP Request",
- "description": "Details about the underlying HTTP request.",
- "group": "context",
- "requirement": "recommended",
- "type": "http_request"
- },
- "http_response": {
- "caption": "HTTP Response",
- "description": "Details about the HTTP response, if available.",
- "group": "context",
- "requirement": "optional",
- "type": "http_response"
- },
"malware": {
"caption": "Malware",
"description": "A list of Malware objects, describing details about the identified malware.",
@@ -33802,41 +38497,13 @@
"requirement": "recommended",
"type": "observable"
},
- "proxy_connection_info": {
- "caption": "Proxy Connection Info",
- "description": "The connection information from the proxy server to the remote server.",
- "requirement": "recommended",
- "type": "network_connection_info"
- },
- "proxy_endpoint": {
- "caption": "Proxy Endpoint",
- "description": "The proxy (server) in a network connection.",
- "requirement": "optional",
- "type": "network_proxy"
- },
- "proxy_http_request": {
- "caption": "Proxy HTTP Request",
- "description": "The HTTP Request from the proxy server to the remote server.",
- "requirement": "optional",
- "type": "http_request"
- },
- "proxy_http_response": {
- "caption": "Proxy HTTP Response",
- "description": "The HTTP Response from the remote server to the proxy server.",
- "requirement": "optional",
- "type": "http_response"
- },
- "proxy_tls": {
- "caption": "Proxy TLS",
- "description": "The TLS protocol negotiated between the proxy server and the remote server.",
- "requirement": "recommended",
- "type": "tls"
- },
- "proxy_traffic": {
- "caption": "Proxy Traffic",
- "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
- "requirement": "recommended",
- "type": "network_traffic"
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "group": "primary",
+ "is_array": true,
+ "requirement": "required",
+ "type": "osint"
},
"raw_data": {
"caption": "Raw Data",
@@ -33901,13 +38568,6 @@
"sibling": "severity",
"type": "integer_t"
},
- "src_endpoint": {
- "caption": "Source Endpoint",
- "description": "Details about the endpoint from which the request originated.",
- "group": "primary",
- "requirement": "recommended",
- "type": "network_endpoint"
- },
"start_time": {
"caption": "Start Time",
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
@@ -33930,7 +38590,7 @@
},
"status_detail": {
"caption": "Status Details",
- "description": "The status details contains additional information about the event/finding outcome.",
+ "description": "The status detail contains additional information about the event/finding outcome.",
"group": "primary",
"requirement": "recommended",
"type": "string_t"
@@ -33971,13 +38631,6 @@
"requirement": "recommended",
"type": "integer_t"
},
- "tls": {
- "caption": "TLS",
- "description": "The Transport Layer Security (TLS) attributes, if available.",
- "group": "context",
- "requirement": "optional",
- "type": "tls"
- },
"type_name": {
"caption": "Type Name",
"description": "The event/finding type name, as defined by the type_uid.",
@@ -33988,35 +38641,32 @@
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.",
"enum": {
- "600100": {
- "caption": "Web Resources Activity: Unknown"
+ "20100400": {
+ "caption": "Windows Service Activity: Unknown"
},
- "600101": {
- "caption": "Web Resources Activity: Create"
- },
- "600102": {
- "caption": "Web Resources Activity: Read"
+ "20100401": {
+ "caption": "Windows Service Activity: Create"
},
- "600103": {
- "caption": "Web Resources Activity: Update"
+ "20100402": {
+ "caption": "Windows Service Activity: Reconfigure"
},
- "600104": {
- "caption": "Web Resources Activity: Delete"
+ "20100403": {
+ "caption": "Windows Service Activity: Start"
},
- "600105": {
- "caption": "Web Resources Activity: Search"
+ "20100404": {
+ "caption": "Windows Service Activity: Stop"
},
- "600106": {
- "caption": "Web Resources Activity: Import"
+ "20100405": {
+ "caption": "Windows Service Activity: Pause"
},
- "600107": {
- "caption": "Web Resources Activity: Export"
+ "20100406": {
+ "caption": "Windows Service Activity: Continue"
},
- "600108": {
- "caption": "Web Resources Activity: Share"
+ "20100407": {
+ "caption": "Windows Service Activity: Delete"
},
- "600199": {
- "caption": "Web Resources Activity: Other"
+ "20100499": {
+ "caption": "Windows Service Activity: Other"
}
},
"requirement": "required",
@@ -34031,34 +38681,24 @@
"requirement": "optional",
"type": "unmapped"
},
- "web_resources": {
- "caption": "Web Resources",
- "description": "Describes details about web resources that were affected by an activity/event.",
- "group": "primary",
- "is_array": true,
+ "win_service": {
+ "caption": "Windows Service",
+ "description": "The Windows service.",
"requirement": "required",
- "type": "web_resource"
- },
- "web_resources_result": {
- "caption": "Web Resources Result",
- "description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
- "group": "primary",
- "is_array": true,
- "requirement": "recommended",
- "type": "web_resource"
+ "type": "win_service"
}
},
- "caption": "Web Resources Activity",
- "category": "application",
- "description": "Web Resources Activity events describe actions executed on a set of Web Resources.",
- "extends": "base_event",
- "name": "web_resources_activity",
+ "caption": "Windows Service Activity",
+ "category": "system",
+ "description": "Windows Service Activity events report when a process interacts with the Service Control Manager.",
+ "extends": "system",
+ "extension": "windows",
+ "name": "win_service_activity",
"profiles": [
"host",
- "network_proxy",
"security_control"
],
- "uid": 1
+ "uid": 4
}
},
"objects": {
@@ -34251,7 +38891,7 @@
"name": {
"caption": "Name",
"description": "The name of the resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"raw_data": {
@@ -34277,7 +38917,7 @@
"uid": {
"caption": "Unique ID",
"description": "The unique identifier of the resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"unmapped": {
@@ -34313,7 +38953,8 @@
},
"name": {
"caption": "Name",
- "description": "The name of the account (e.g. GCP Account Name).",
+ "description": "The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name ).",
+ "observable": 34,
"requirement": "recommended",
"type": "string_t"
},
@@ -34351,6 +38992,27 @@
"10": {
"caption": "AWS Account"
},
+ "11": {
+ "caption": "GCP Project"
+ },
+ "12": {
+ "caption": "OCI Compartment"
+ },
+ "13": {
+ "caption": "Azure Subscription"
+ },
+ "14": {
+ "caption": "Salesforce Account"
+ },
+ "15": {
+ "caption": "Google Workspace"
+ },
+ "16": {
+ "caption": "Servicenow Instance"
+ },
+ "17": {
+ "caption": "M365 Tenant"
+ },
"2": {
"caption": "Windows Account"
},
@@ -34386,7 +39048,8 @@
},
"uid": {
"caption": "Unique ID",
- "description": "The unique identifier of the account (e.g. AWS Account ID).",
+ "description": "The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID ).",
+ "observable": 35,
"requirement": "recommended",
"type": "string_t"
},
@@ -34405,7 +39068,7 @@
"uid"
]
},
- "description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application.",
+ "description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.",
"extends": "_entity",
"name": "account"
},
@@ -34572,6 +39235,12 @@
"requirement": "recommended",
"type": "string_t"
},
+ "cpe_name": {
+ "caption": "The product CPE identifier",
+ "description": "The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"epoch": {
"caption": "Epoch",
"description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.",
@@ -34584,6 +39253,13 @@
"requirement": "optional",
"type": "string_t"
},
+ "hash": {
+ "caption": "Hash",
+ "description": "Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.",
+ "observable": 30,
+ "requirement": "optional",
+ "type": "fingerprint"
+ },
"license": {
"caption": "Software License",
"description": "The software license applied to this package.",
@@ -34640,6 +39316,37 @@
"requirement": "optional",
"type": "remediation"
},
+ "type": {
+ "caption": "Type",
+ "description": "The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Type ID",
+ "description": "The type of software package.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Application",
+ "description": "An application software package."
+ },
+ "2": {
+ "caption": "Operating System",
+ "description": "An operating system software package."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "type",
+ "type": "integer_t"
+ },
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
@@ -34647,6 +39354,12 @@
"requirement": "optional",
"type": "unmapped"
},
+ "vendor_name": {
+ "caption": "Vendor Name",
+ "description": "The name of the vendor who published the software package.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"version": {
"caption": "Version",
"description": "The software package version.",
@@ -34869,6 +39582,10 @@
"caption": "Statistical",
"description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making."
},
+ "4": {
+ "caption": "Learning (ML/DL)",
+ "description": "Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement."
+ },
"5": {
"caption": "Fingerprinting",
"description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities."
@@ -35012,13 +39729,13 @@
},
"sub_technique": {
"caption": "Sub Technique",
- "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"requirement": "optional",
"type": "sub_technique"
},
"tactic": {
"caption": "Tactic",
- "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"requirement": "optional",
"type": "tactic"
},
@@ -35028,14 +39745,14 @@
"since": "1.1.0"
},
"caption": "Tactics",
- "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK MatrixTM.",
+ "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK\u00ae Matrix.",
"is_array": true,
"requirement": "optional",
"type": "tactic"
},
"technique": {
"caption": "Technique",
- "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"requirement": "optional",
"type": "technique"
},
@@ -35048,7 +39765,7 @@
},
"version": {
"caption": "Version",
- "description": "The ATT&CK MatrixTM version.",
+ "description": "The ATT&CK\u00ae Matrix version.",
"requirement": "recommended",
"type": "string_t"
}
@@ -35061,7 +39778,7 @@
"sub_technique"
]
},
- "description": "The MITRE ATT&CK\u00ae object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK MatrixTM.",
+ "description": "The MITRE ATT&CK\u00ae object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK\u00ae Matrix.",
"extends": "object",
"name": "attack"
},
@@ -35224,7 +39941,7 @@
"decision": {
"caption": "Authorization Decision/Outcome",
"description": "Authorization Result/outcome, e.g. allowed, denied.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"policy": {
@@ -35342,6 +40059,12 @@
"requirement": "required",
"type": "fingerprint"
},
+ "is_self_signed": {
+ "caption": "Certificate Self-Signed",
+ "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
+ "requirement": "recommended",
+ "type": "boolean_t"
+ },
"issuer": {
"caption": "Issuer Distinguished Name",
"description": "The certificate issuer distinguished name.",
@@ -35689,6 +40412,10 @@
"type": "string_t"
},
"project_uid": {
+ "@deprecated": {
+ "message": "Use the account.uid attribute instead.",
+ "since": "1.4.0"
+ },
"caption": "Project ID",
"description": "The unique identifier of a Cloud project.",
"requirement": "optional",
@@ -35746,12 +40473,26 @@
}
},
"caption": "Cloud",
- "description": "The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.",
+ "description": "The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.",
"extends": "object",
"name": "cloud"
},
"compliance": {
"attributes": {
+ "compliance_references": {
+ "caption": "Complaince References Articles",
+ "description": "A list of sources of information or tools that help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "kb_article"
+ },
+ "compliance_standards": {
+ "caption": "Compliance Standards Articles",
+ "description": "A list of established guidelines or criteria that define specific requirements an organization must follow.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "kb_article"
+ },
"control": {
"caption": "Security Control",
"description": "A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.",
@@ -36481,13 +41222,30 @@
"description": "The Integrity Common Vulnerability Scoring System (CVSS) metric. Name: Integrity (I). Group: Base. CVSS version: v3",
"enum": {
"0": {
- "caption": "None (N)"
+ "caption": "None (N)",
+ "description": "The integrity level is unknown."
},
"1": {
"caption": "Low (L)"
},
"2": {
"caption": "High (H)"
+ },
+ "3": {
+ "caption": "Medium"
+ },
+ "4": {
+ "caption": "High"
+ },
+ "5": {
+ "caption": "System"
+ },
+ "6": {
+ "caption": "Protected"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The integrity level is not mapped. See the integrity attribute, which contains a data source specific value."
}
},
"requirement": "optional",
@@ -37032,6 +41790,167 @@
"extends": "object",
"name": "cwe"
},
+ "d3f_tactic": {
+ "attributes": {
+ "name": {
+ "caption": "Name",
+ "description": "The tactic name that is associated with the defensive technique, as defined by D3FENDTM Matrix. For example: Isolate.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "src_url": {
+ "caption": "Source URL",
+ "description": "The versioned permalink of the defensive tactic, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.",
+ "observable": 6,
+ "requirement": "optional",
+ "type": "url_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier of the entity.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "MITRE D3FEND\u2122 Tactic",
+ "constraints": {
+ "at_least_one": [
+ "name",
+ "uid"
+ ]
+ },
+ "description": "The MITRE D3FEND\u2122 Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by D3FENDTM Matrix.",
+ "extends": "_entity",
+ "name": "d3f_tactic"
+ },
+ "d3f_technique": {
+ "attributes": {
+ "name": {
+ "caption": "Name",
+ "description": "The name of the defensive technique, as defined by D3FENDTM Matrix. For example: IO Port Restriction.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "src_url": {
+ "caption": "Source URL",
+ "description": "The versioned permalink of the defensive technique, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.",
+ "observable": 6,
+ "requirement": "optional",
+ "type": "url_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier of the defensive technique, as defined by D3FENDTM Matrix. For example: D3-IOPR.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "MITRE DEFEND\u2122 Technique",
+ "constraints": {
+ "at_least_one": [
+ "name",
+ "uid"
+ ]
+ },
+ "description": "The MITRE DEFEND\u2122 Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by D3FENDTM Matrix.",
+ "extends": "_entity",
+ "name": "d3f_technique"
+ },
+ "d3fend": {
+ "attributes": {
+ "d3f_tactic": {
+ "caption": "MITRE DEFEND\u2122 Tactic",
+ "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "requirement": "recommended",
+ "type": "d3f_tactic"
+ },
+ "d3f_technique": {
+ "caption": "MITRE DEFEND\u2122 Technique",
+ "description": "The Defend Technique object describes the technique ID and/or name associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "requirement": "recommended",
+ "type": "d3f_technique"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "version": {
+ "caption": "Version",
+ "description": "The D3FEND MatrixTM version.",
+ "requirement": "recommended",
+ "type": "string_t"
+ }
+ },
+ "caption": "MITRE D3FEND\u2122",
+ "constraints": {
+ "at_least_one": [
+ "d3f_tactic",
+ "d3f_technique"
+ ]
+ },
+ "description": "The MITRE D3FEND\u2122 object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.",
+ "extends": "object",
+ "name": "d3fend"
+ },
"data_classification": {
"attributes": {
"category": {
@@ -37276,6 +42195,10 @@
"3": {
"caption": "Data in-Use",
"description": "The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The data lifecycle state is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
@@ -37803,6 +42726,12 @@
"requirement": "optional",
"type": "string_t"
},
+ "boot_time": {
+ "caption": "Boot Time",
+ "description": "The time the system was booted.",
+ "requirement": "optional",
+ "type": "timestamp_t"
+ },
"container": {
"caption": "Container",
"description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
@@ -37895,7 +42824,7 @@
"caption": "IP Address",
"description": "The device IP address, in either IPv4 or IPv6 format.",
"observable": 2,
- "requirement": "recommended",
+ "requirement": "optional",
"type": "ip_t"
},
"is_compliant": {
@@ -37951,7 +42880,7 @@
"name": {
"caption": "Name",
"description": "The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
risk_level attribute, which contains a data source specific value."
}
},
"requirement": "optional",
@@ -38079,7 +43012,7 @@
"type": {
"caption": "Type",
"description": "The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"type_id": {
@@ -38103,6 +43036,22 @@
"caption": "Hub",
"description": "A networking hub."
},
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
+ },
"2": {
"caption": "Desktop",
"description": "A desktop computer."
@@ -38430,6 +43379,49 @@
"requirement": "optional",
"type": "string_t"
},
+ "state": {
+ "caption": "State",
+ "description": "The digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "state_id": {
+ "caption": "State ID",
+ "description": "The normalized identifier of the signature state.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The state is unknown."
+ },
+ "1": {
+ "caption": "Valid",
+ "description": "The digital signature is valid."
+ },
+ "2": {
+ "caption": "Expired",
+ "description": "The digital signature is not valid due to expiration of certificate."
+ },
+ "3": {
+ "caption": "Revoked",
+ "description": "The digital signature is invalid due to certificate revocation."
+ },
+ "4": {
+ "caption": "Suspended",
+ "description": "The digital signature is invalid due to certificate suspension."
+ },
+ "5": {
+ "caption": "Pending",
+ "description": "The digital signature state is pending."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The state is not mapped. See the state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "optional",
+ "sibling": "state",
+ "type": "integer_t"
+ },
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
@@ -38515,7 +43507,8 @@
"description": "The list of DNS answer header flag IDs.",
"enum": {
"0": {
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The flag is unknown."
},
"1": {
"caption": "Authoritative Answer"
@@ -38541,7 +43534,7 @@
}
},
"is_array": true,
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "flags",
"type": "integer_t"
},
@@ -38626,7 +43619,7 @@
},
"opcode_id": {
"caption": "DNS Opcode ID",
- "description": "The DNS opcode ID specifies the normalized query message type.",
+ "description": "The DNS opcode ID specifies the normalized query message type as defined in RFC-5395.",
"enum": {
"0": {
"caption": "Query",
@@ -38655,6 +43648,10 @@
"6": {
"caption": "DSO Message",
"description": "DNS Stateful Operations (DSO)"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The DNS Opcode is not defined by the RFC. See the opcode attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
@@ -38699,6 +43696,110 @@
"extends": "_dns",
"name": "dns_query"
},
+ "domain_contact": {
+ "attributes": {
+ "email_addr": {
+ "caption": "Contact Email",
+ "description": "The user's primary email address.",
+ "observable": 5,
+ "requirement": "recommended",
+ "type": "email_t"
+ },
+ "location": {
+ "caption": "Contact Location Information",
+ "description": "Location details for the contract such as the city, state/province, country, etc.",
+ "observable": 26,
+ "requirement": "recommended",
+ "type": "location"
+ },
+ "name": {
+ "caption": "Name",
+ "description": "The individual or organization name for the contact.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "phone_number": {
+ "caption": "Phone Number",
+ "description": "The number associated with the phone.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "type": {
+ "caption": "Domain Contact Type",
+ "description": "The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Domain Contact Type ID",
+ "description": "The normalized domain contact type ID.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Registrant",
+ "description": "The contact information provided is for the domain registrant."
+ },
+ "2": {
+ "caption": "Administrative",
+ "description": "The contact information provided is for the domain administrator."
+ },
+ "3": {
+ "caption": "Technical",
+ "description": "The contact information provided is for the domain technical lead."
+ },
+ "4": {
+ "caption": "Billing",
+ "description": "The contact information provided is for the domain billing lead."
+ },
+ "5": {
+ "caption": "Abuse",
+ "description": "The contact information provided is for the domain abuse contact."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier of the contact information, typically provided in WHOIS information.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "extends": "object",
+ "name": "domain_contact"
+ },
"domain_info": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -39283,6 +44384,22 @@
"caption": "Hub",
"description": "A networking hub."
},
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
+ },
"2": {
"caption": "Desktop",
"description": "A desktop computer."
@@ -39425,12 +44542,24 @@
},
"enrichment": {
"attributes": {
+ "created_time": {
+ "caption": "Created Time",
+ "description": "The time when the enrichment data was generated.",
+ "requirement": "recommended",
+ "type": "timestamp_t"
+ },
"data": {
"caption": "Data",
"description": "The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.",
"requirement": "required",
"type": "json_t"
},
+ "desc": {
+ "caption": "Description",
+ "description": "A long description of the enrichment data.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"name": {
"caption": "Name",
"description": "The name of the attribute to which the enriched data pertains.",
@@ -39457,6 +44586,25 @@
"requirement": "required",
"type": "string_t"
},
+ "reputation": {
+ "caption": "Reputation Scores",
+ "description": "The reputation of the enrichment data.",
+ "requirement": "optional",
+ "type": "reputation"
+ },
+ "short_desc": {
+ "caption": "Short Description",
+ "description": "A short description of the enrichment data.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "src_url": {
+ "caption": "Source URL",
+ "description": "The URL of the source of the enrichment data.",
+ "observable": 6,
+ "requirement": "recommended",
+ "type": "url_t"
+ },
"type": {
"caption": "Type",
"description": "The enrichment type. For example: location.",
@@ -39580,12 +44728,25 @@
"requirement": "recommended",
"type": "databucket"
},
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host associated to the activity that triggered the detection.",
+ "requirement": "recommended",
+ "type": "device"
+ },
"dst_endpoint": {
"caption": "Destination Endpoint",
"description": "Describes details about the destination of the network activity that triggered the detection.",
"requirement": "recommended",
"type": "network_endpoint"
},
+ "email": {
+ "caption": "Email",
+ "description": "The email object associated to the activity that triggered the detection.",
+ "observable": 22,
+ "requirement": "recommended",
+ "type": "email"
+ },
"file": {
"caption": "File",
"description": "Describes details about the file associated to the activity that triggered the detection.",
@@ -39593,6 +44754,12 @@
"requirement": "recommended",
"type": "file"
},
+ "job": {
+ "caption": "Job",
+ "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
+ "requirement": "recommended",
+ "type": "job"
+ },
"process": {
"caption": "Process",
"description": "Describes details about the process associated to the activity that triggered the detection.",
@@ -39620,6 +44787,20 @@
"requirement": "required",
"type": "string_t"
},
+ "reg_key": {
+ "caption": "Registry Key",
+ "description": "Describes details about the registry key that triggered the detection.",
+ "observable": 28,
+ "requirement": "recommended",
+ "type": "reg_key"
+ },
+ "reg_value": {
+ "caption": "Registry Value",
+ "description": "Describes details about the registry value that triggered the detection.",
+ "observable": 29,
+ "requirement": "recommended",
+ "type": "reg_value"
+ },
"src_endpoint": {
"caption": "Source Endpoint",
"description": "Describes details about the source of the network activity that triggered the detection.",
@@ -39632,9 +44813,29 @@
"is_array": true,
"requirement": "optional",
"type": "unmapped"
+ },
+ "url": {
+ "caption": "URL",
+ "description": "The URL object that pertains to the event or object associated to the activity that triggered the detection.",
+ "observable": 23,
+ "requirement": "recommended",
+ "type": "url"
+ },
+ "user": {
+ "caption": "User",
+ "description": "Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.",
+ "observable": 21,
+ "requirement": "recommended",
+ "type": "user"
+ },
+ "win_service": {
+ "caption": "Windows Service",
+ "description": "Describes details about the Windows service that triggered the detection.",
+ "requirement": "recommended",
+ "type": "win_service"
}
},
- "caption": "Evidence Artifacts",
+ "caption": "Windows Evidence Artifacts",
"constraints": {
"at_least_one": [
"actor",
@@ -39643,15 +44844,23 @@
"data",
"database",
"databucket",
+ "device",
"dst_endpoint",
+ "email",
"file",
"process",
"query",
- "src_endpoint"
+ "src_endpoint",
+ "url",
+ "user",
+ "job",
+ "reg_key",
+ "reg_value",
+ "win_service"
]
},
- "description": "A collection of evidence artifacts associated to the activity/activities that triggered a security detection.",
- "extends": "object",
+ "description": "Extends the evidences object to add Windows specific fields",
+ "extends": "evidences",
"name": "evidences"
},
"extension": {
@@ -39852,6 +45061,12 @@
"requirement": "optional",
"type": "string_t"
},
+ "ext": {
+ "caption": "File Extension",
+ "description": "The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
"fingerprints": {
"@deprecated": {
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
@@ -40510,7 +45725,7 @@
"caption": "Duration",
"description": "The rule response time duration, usually used for challenge completion time.",
"requirement": "optional",
- "type": "integer_t"
+ "type": "long_t"
},
"match_details": {
"caption": "Match Details",
@@ -40611,6 +45826,7 @@
"name": {
"caption": "Name",
"description": "The group name.",
+ "observable": 32,
"requirement": "recommended",
"type": "string_t"
},
@@ -40644,6 +45860,7 @@
"uid": {
"caption": "Unique ID",
"description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.",
+ "observable": 33,
"requirement": "recommended",
"type": "string_t"
},
@@ -41279,6 +46496,124 @@
"extension": "query",
"name": "ip_intelligence"
},
+ "ja4_fingerprint": {
+ "attributes": {
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "section_a": {
+ "caption": "JA4 Section A",
+ "description": "The 'a' section of the JA4 fingerprint.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "section_b": {
+ "caption": "JA4 Section B",
+ "description": "The 'b' section of the JA4 fingerprint.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "section_c": {
+ "caption": "JA4 Section C",
+ "description": "The 'c' section of the JA4 fingerprint.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "section_d": {
+ "caption": "JA4 Section D",
+ "description": "The 'd' section of the JA4 fingerprint.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type": {
+ "caption": "Type",
+ "description": "The JA4+ fingerprint type as defined by FoxIO, normalized to the caption of 'type_id'. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Type ID",
+ "description": "The identifier of the JA4+ fingerprint type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "JA4",
+ "description": "TLS Client Fingerprint."
+ },
+ "2": {
+ "caption": "JA4Server",
+ "description": "TLS Server Response/Session Fingerprint."
+ },
+ "3": {
+ "caption": "JA4HTTP",
+ "description": "HTTP Client Fingerprint."
+ },
+ "4": {
+ "caption": "JA4Latency",
+ "description": "Latency Measurement/Light Distance Fingerprint."
+ },
+ "5": {
+ "caption": "JA4X509",
+ "description": "X509 TLS Certificate Fingerprint."
+ },
+ "6": {
+ "caption": "JA4SSH",
+ "description": "SSH Traffic Fingerprint."
+ },
+ "7": {
+ "caption": "JA4TCP",
+ "description": "Passive TCP Client Fingerprint."
+ },
+ "8": {
+ "caption": "JA4TCPServer",
+ "description": "Passive TCP Server Fingerprint."
+ },
+ "9": {
+ "caption": "JA4TCPScan",
+ "description": "Active TCP Server Fingerprint."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "value": {
+ "caption": "Value",
+ "description": "The JA4+ fingerprint value.",
+ "requirement": "required",
+ "type": "string_t"
+ }
+ },
+ "caption": "JA4+ Fingerprint",
+ "description": "The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.",
+ "extends": "object",
+ "name": "ja4_fingerprint"
+ },
"job": {
"attributes": {
"cmd_line": {
@@ -41350,7 +46685,8 @@
"description": "The run state ID of the job.",
"enum": {
"0": {
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The run state is unknown."
},
"1": {
"caption": "Ready"
@@ -41365,7 +46701,8 @@
"caption": "Stopped"
},
"99": {
- "caption": "Other"
+ "caption": "Other",
+ "description": "The run state is not mapped. See the run_state attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
@@ -41394,6 +46731,12 @@
},
"kb_article": {
"attributes": {
+ "avg_timespan": {
+ "caption": "Average Timespan",
+ "description": "The average time to patch.",
+ "requirement": "optional",
+ "type": "timespan"
+ },
"bulletin": {
"caption": "Patch Bulletin",
"description": "The kb article bulletin identifier.",
@@ -41412,6 +46755,41 @@
"requirement": "optional",
"type": "timestamp_t"
},
+ "install_state": {
+ "caption": "Install State",
+ "description": "The install state of the kb article.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "install_state_id": {
+ "caption": "Install State ID",
+ "description": "The normalized install state ID of the kb article.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The normalized install state is unknown."
+ },
+ "1": {
+ "caption": "Installed",
+ "description": "The item is installed."
+ },
+ "2": {
+ "caption": "Not Installed",
+ "description": "The item is not installed."
+ },
+ "3": {
+ "caption": "Installed Pending Reboot",
+ "description": "The item is installed pending reboot operation."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The install state is not mapped. See the install_state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "install_state",
+ "type": "integer_t"
+ },
"is_superseded": {
"caption": "The patch is superseded.",
"description": "The kb article has been replaced by another.",
@@ -41859,6 +47237,12 @@
"requirement": "optional",
"type": "string_t"
},
+ "phone_number": {
+ "caption": "Telephone Number",
+ "description": "The telephone number of the user. Corresponds to the LDAP Telephone-Number CN.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -41925,6 +47309,13 @@
"requirement": "optional",
"type": "string_t"
},
+ "ip": {
+ "caption": "IP Address",
+ "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint.",
+ "observable": 2,
+ "requirement": "optional",
+ "type": "ip_t"
+ },
"message": {
"caption": "Message",
"description": "The load balancer message.",
@@ -42146,7 +47537,7 @@
"logged_time": {
"caption": "Logged Time",
"description": "The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.", - "requirement": "optional", + "requirement": "recommended", "type": "timestamp_t" }, "name": { @@ -42219,7 +47610,8 @@ "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ", "enum": { "0": { - "caption": "Unknown" + "caption": "Unknown", + "description": "The classification is unknown." }, "1": { "caption": "Adware" @@ -42285,7 +47677,8 @@ "caption": "Keylogger" }, "99": { - "caption": "Other" + "caption": "Other", + "description": "The classification is not mapped. See theclassifications attribute, which contains a data source specific value."
}
},
"is_array": true,
@@ -42295,7 +47688,7 @@
},
"classifications": {
"caption": "Classifications",
- "description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.",
+ "description": "The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.",
"is_array": true,
"requirement": "optional",
"type": "string_t"
@@ -42383,6 +47776,25 @@
"requirement": "optional",
"type": "json_t"
},
+ "device": {
+ "caption": "Device",
+ "description": "An addressable device, computer system or host.",
+ "requirement": "recommended",
+ "type": "device"
+ },
+ "email": {
+ "caption": "Email",
+ "description": "The email object.",
+ "observable": 22,
+ "requirement": "recommended",
+ "type": "email"
+ },
+ "group": {
+ "caption": "Group",
+ "description": "The group object associated with an entity such as user, policy, or rule.",
+ "requirement": "recommended",
+ "type": "group"
+ },
"name": {
"caption": "Name",
"description": "The name of the managed entity.",
@@ -42390,6 +47802,18 @@
"requirement": "recommended",
"type": "string_t"
},
+ "org": {
+ "caption": "Organization",
+ "description": "Organization and org unit relevant to the event or object.",
+ "requirement": "recommended",
+ "type": "organization"
+ },
+ "policy": {
+ "caption": "Policy",
+ "description": "Describes details of a managed policy.",
+ "requirement": "recommended",
+ "type": "policy"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -42411,6 +47835,47 @@
"requirement": "recommended",
"type": "string_t"
},
+ "type_id": {
+ "caption": "Type ID",
+ "description": "The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Device",
+ "description": "A managed Device entity. This item corresponds to population of the device attribute."
+ },
+ "2": {
+ "caption": "User",
+ "description": "A managed User entity. This item corresponds to population of the user attribute."
+ },
+ "3": {
+ "caption": "Group",
+ "description": "A managed Group entity. This item corresponds to population of the group attribute."
+ },
+ "4": {
+ "caption": "Organization",
+ "description": "A managed Organization entity. This item corresponds to population of the org attribute."
+ },
+ "5": {
+ "caption": "Policy",
+ "description": "A managed Policy entity. This item corresponds to population of the policy attribute."
+ },
+ "6": {
+ "caption": "Email",
+ "description": "A managed Email entity. This item corresponds to population of the email attribute."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "type",
+ "type": "integer_t"
+ },
"uid": {
"caption": "Unique ID",
"description": "The identifier of the managed entity.",
@@ -42424,6 +47889,13 @@
"requirement": "optional",
"type": "unmapped"
},
+ "user": {
+ "caption": "User",
+ "description": "The user that pertains to the event or object.",
+ "observable": 21,
+ "requirement": "recommended",
+ "type": "user"
+ },
"version": {
"caption": "Version",
"description": "The version of the managed entity. For example: 1.2.3.",
@@ -42435,10 +47907,15 @@
"constraints": {
"at_least_one": [
"name",
- "uid"
+ "uid",
+ "device",
+ "group",
+ "org",
+ "policy",
+ "user"
]
},
- "description": "The Managed Entity object describes the type and version of an entity, such as a policy or configuration.",
+ "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.",
"extends": "_entity",
"name": "managed_entity"
},
@@ -42550,7 +48027,7 @@
},
"profiles": {
"caption": "Profiles",
- "description": "The list of profiles used to create the event.",
+ "description": "The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.",
"is_array": true,
"requirement": "optional",
"type": "string_t"
@@ -42674,16 +48151,17 @@
},
"load_type": {
"caption": "Load Type",
- "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
+ "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.",
"requirement": "optional",
"type": "string_t"
},
"load_type_id": {
"caption": "Load Type ID",
- "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
+ "description": "The normalized identifier for how the module was loaded in memory.",
"enum": {
"0": {
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The load type is unknown."
},
"1": {
"caption": "Standard",
@@ -42706,7 +48184,8 @@
"description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation."
},
"99": {
- "caption": "Other"
+ "caption": "Other",
+ "description": "The load type is not mapped. See the load_type attribute, which contains a data source specific value."
}
},
"requirement": "required",
@@ -42817,7 +48296,7 @@
"description": "The boundary is not mapped. See the boundary attribute, which contains a data source specific value."
}
},
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "boundary",
"type": "integer_t"
},
@@ -42859,7 +48338,7 @@
"protocol_name": {
"caption": "Protocol Name",
"description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"protocol_num": {
@@ -42879,7 +48358,8 @@
"description": "The Internet Protocol version identifier.",
"enum": {
"0": {
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The protocol version is unknown."
},
"4": {
"caption": "Internet Protocol version 4 (IPv4)"
@@ -42888,10 +48368,11 @@
"caption": "Internet Protocol version 6 (IPv6)"
},
"99": {
- "caption": "Other"
+ "caption": "Other",
+ "description": "The protocol version is not mapped. See the protocol_ver attribute, which contains a data source specific value."
}
},
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "protocol_ver",
"type": "integer_t"
},
@@ -42924,7 +48405,7 @@
"uid": {
"caption": "Connection UID",
"description": "The unique identifier of the connection.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"unmapped": {
@@ -43136,6 +48617,22 @@
"caption": "Hub",
"description": "A networking hub."
},
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
+ },
"2": {
"caption": "Desktop",
"description": "A desktop computer."
@@ -43553,6 +49050,22 @@
"caption": "Hub",
"description": "A networking hub."
},
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
+ },
"2": {
"caption": "Desktop",
"description": "A desktop computer."
@@ -43846,6 +49359,10 @@
"caption": "CVE ID",
"description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345."
},
+ "19": {
+ "caption": "User Credential ID",
+ "description": "The unique identifier of the user's credential. For example, AWS Access Key ID."
+ },
"2": {
"caption": "IP Address",
"description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334."
@@ -43898,6 +49415,26 @@
"caption": "Fingerprint",
"description": "The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data."
},
+ "31": {
+ "caption": "",
+ "description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN."
+ },
+ "32": {
+ "caption": "",
+ "description": "The group name."
+ },
+ "33": {
+ "caption": "",
+ "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group."
+ },
+ "34": {
+ "caption": "",
+ "description": "The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name )."
+ },
+ "35": {
+ "caption": "",
+ "description": "The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID )."
+ },
"4": {
"caption": "User Name",
"description": "User name. For example: john_doe."
@@ -43954,19 +49491,19 @@
"attributes": {
"name": {
"caption": "Name",
- "description": "The name of the organization. For example, Widget, Inc.",
+ "description": "The name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, Widget, Inc. or the AWS Organization name .",
"requirement": "recommended",
"type": "string_t"
},
"ou_name": {
"caption": "Org Unit Name",
- "description": "The name of the organizational unit, within an organization. For example, Finance, IT, R&D",
+ "description": "The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU .",
"requirement": "recommended",
"type": "string_t"
},
"ou_uid": {
"caption": "Org Unit ID",
- "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.",
+ "description": "The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID .",
"requirement": "optional",
"type": "string_t"
},
@@ -43986,7 +49523,7 @@
},
"uid": {
"caption": "Unique ID",
- "description": "The unique identifier of the organization. For example, its Active Directory or AWS Org ID.",
+ "description": "The unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an AWS Org ID or Oracle Cloud Domain ID .",
"requirement": "recommended",
"type": "string_t"
},
@@ -44005,7 +49542,7 @@
"uid"
]
},
- "description": "The Organization object describes characteristics of an organization or company and its division if any.",
+ "description": "The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs.",
"extends": "_entity",
"name": "organization"
},
@@ -44153,6 +49690,274 @@
"extends": "object",
"name": "os"
},
+ "osint": {
+ "attributes": {
+ "answers": {
+ "caption": "Related DNS Answers",
+ "description": "Any pertinent DNS answers information related to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "dns_answer"
+ },
+ "attacks": {
+ "caption": "MITRE ATT&CK\u00ae Details",
+ "description": "MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "attack"
+ },
+ "autonomous_system": {
+ "caption": "Autonomous System",
+ "description": "Any pertinent autonomous system information related to an indicator or OSINT analysis.",
+ "requirement": "optional",
+ "type": "autonomous_system"
+ },
+ "comment": {
+ "caption": "Analyst Comments",
+ "description": "Analyst commentary or source commentary about an indicator or OSINT analysis.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "confidence": {
+ "caption": "Confidence",
+ "description": "The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "confidence_id": {
+ "caption": "Confidence Id",
+ "description": "The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The normalized confidence is unknown."
+ },
+ "1": {
+ "caption": "Low"
+ },
+ "2": {
+ "caption": "Medium"
+ },
+ "3": {
+ "caption": "High"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "email": {
+ "caption": "Related Email",
+ "description": "Any email information pertinent to an indicator or OSINT analysis.",
+ "observable": 22,
+ "requirement": "optional",
+ "type": "email"
+ },
+ "email_auth": {
+ "caption": "Related Email Authentication",
+ "description": "Any email authentication information pertinent to an indicator or OSINT analysis.",
+ "requirement": "optional",
+ "type": "email_auth"
+ },
+ "kill_chain": {
+ "caption": "Kill Chain",
+ "description": "Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "kill_chain_phase"
+ },
+ "location": {
+ "caption": "Geo Location",
+ "description": "Any pertinent geolocation information related to an indicator or OSINT analysis.",
+ "observable": 26,
+ "requirement": "optional",
+ "type": "location"
+ },
+ "name": {
+ "caption": "Name",
+ "description": "The name of the entity.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "signatures": {
+ "caption": "Related Digital Signatures",
+ "description": "Any digital signatures or hashes related to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "digital_signature"
+ },
+ "src_url": {
+ "caption": "Source URL",
+ "description": "The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.",
+ "observable": 6,
+ "requirement": "optional",
+ "type": "url_t"
+ },
+ "subdomains": {
+ "caption": "Related Subdomains",
+ "description": "Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "tlp": {
+ "caption": "Traffic Light Protocol",
+ "description": "The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+ "enum": {
+ "AMBER": {
+ "caption": "TLP:AMBER",
+ "description": "TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "AMBER STRICT": {
+ "caption": "TLP:AMBER+STRICT",
+ "description": "TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "CLEAR": {
+ "caption": "TLP:CLEAR",
+ "description": "TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction."
+ },
+ "GREEN": {
+ "caption": "TLP:GREEN",
+ "description": "TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when \u201ccommunity\u201d is not defined, assume the cybersecurity/defense community."
+ },
+ "RED": {
+ "caption": "TLP:RED",
+ "description": "TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting."
+ }
+ },
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "type": {
+ "caption": "Type",
+ "description": "The OSINT indicator type.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Indicator Type ID",
+ "description": "The OSINT indicator type ID.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The indicator type is ambiguous or there is not a related indicator for the OSINT object."
+ },
+ "1": {
+ "caption": "IP Address",
+ "description": "An IPv4 or IPv6 address."
+ },
+ "10": {
+ "caption": "Vulnerability",
+ "description": "A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration."
+ },
+ "2": {
+ "caption": "Domain",
+ "description": "A full-qualified domain name (FQDN), subdomain, or partial domain."
+ },
+ "3": {
+ "caption": "Hostname",
+ "description": "A hostname or computer name."
+ },
+ "4": {
+ "caption": "Hash",
+ "description": "Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, etc. generated from a file, malware sample, request header, or otherwise."
+ },
+ "5": {
+ "caption": "URL",
+ "description": "A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI)."
+ },
+ "6": {
+ "caption": "User Agent",
+ "description": "A User Agent typically seen in HTTP request headers."
+ },
+ "7": {
+ "caption": "Digital Certificate",
+ "description": "The serial number, fingerprint, or full content of an X.509 digital certificate."
+ },
+ "8": {
+ "caption": "Email",
+ "description": "The contents of an email or any related information to an email object."
+ },
+ "9": {
+ "caption": "Email Address",
+ "description": "An email address."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The indicator type is not directly listed."
+ }
+ },
+ "requirement": "required",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier of the entity.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "value": {
+ "caption": "Indicator",
+ "description": "The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "vendor_name": {
+ "caption": "Vendor Name",
+ "description": "The vendor name of a tool which generates intelligence or provides indicators.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "vulnerabilities": {
+ "caption": "Related Vulnerabilities",
+ "description": "Any vulnerabilities related to an indicator or OSINT analysis.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "vulnerability"
+ },
+ "whois": {
+ "caption": "WHOIS",
+ "description": "Any pertinent WHOIS information related to an indicator or OSINT analysis.",
+ "requirement": "optional",
+ "type": "whois"
+ }
+ },
+ "caption": "OSINT",
+ "constraints": {
+ "at_least_one": [
+ "name",
+ "uid"
+ ]
+ },
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "extends": "_entity",
+ "name": "osint"
+ },
"package": {
"attributes": {
"architecture": {
@@ -44161,12 +49966,25 @@
"requirement": "recommended",
"type": "string_t"
},
+ "cpe_name": {
+ "caption": "The product CPE identifier",
+ "description": "The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"epoch": {
"caption": "Epoch",
"description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.",
"requirement": "optional",
"type": "integer_t"
},
+ "hash": {
+ "caption": "Hash",
+ "description": "Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.",
+ "observable": 30,
+ "requirement": "optional",
+ "type": "fingerprint"
+ },
"license": {
"caption": "Software License",
"description": "The software license applied to this package.",
@@ -44205,6 +50023,37 @@
"requirement": "optional",
"type": "string_t"
},
+ "type": {
+ "caption": "Type",
+ "description": "The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Type ID",
+ "description": "The type of software package.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Application",
+ "description": "An application software package."
+ },
+ "2": {
+ "caption": "Operating System",
+ "description": "An operating system software package."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "type",
+ "type": "integer_t"
+ },
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
@@ -44212,6 +50061,12 @@
"requirement": "optional",
"type": "unmapped"
},
+ "vendor_name": {
+ "caption": "Vendor Name",
+ "description": "The name of the vendor who published the software package.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"version": {
"caption": "Version",
"description": "The software package version.",
@@ -44322,7 +50177,7 @@
"is_applied": {
"caption": "Applied",
"description": "A determination if the content of a policy was applied to a target or request, or not.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "boolean_t"
},
"label": {
@@ -44567,7 +50422,7 @@
},
"integrity": {
"caption": "Integrity",
- "description": "The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).",
+ "description": "The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).",
"requirement": "optional",
"sibling": "integrity",
"type": "string_t"
@@ -44577,7 +50432,8 @@
"description": "The normalized identifier of the process integrity level (Windows only).",
"enum": {
"0": {
- "caption": "Unknown"
+ "caption": "Unknown",
+ "description": "The integrity level is unknown."
},
"1": {
"caption": "Untrusted"
@@ -44598,7 +50454,8 @@
"caption": "Protected"
},
"99": {
- "caption": "Other"
+ "caption": "Other",
+ "description": "The integrity level is not mapped. See the integrity attribute, which contains a data source specific value."
}
},
"requirement": "optional",
@@ -44899,10 +50756,6 @@
"name": "query_info"
},
"reg_key": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"attributes": {
"is_system": {
"caption": "System",
@@ -44920,7 +50773,7 @@
"caption": "Path",
"description": "The full path to the registry key.",
"requirement": "required",
- "type": "path_t"
+ "type": "string_t"
},
"raw_data": {
"caption": "Raw Data",
@@ -44951,17 +50804,13 @@
}
},
"caption": "Registry Key",
- "description": "The registry key object describes a Windows registry key.",
+ "description": "The registry key object describes a Windows registry key. Defined by D3FEND d3f:WindowsRegistryKey.",
"extends": "object",
"extension": "windows",
- "name": "registry_key",
+ "name": "reg_key",
"observable": 28
},
"reg_value": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
"attributes": {
"data": {
"caption": "Data",
@@ -44997,7 +50846,7 @@
"caption": "Path",
"description": "The full path to the registry key, where the value is located.",
"requirement": "required",
- "type": "path_t"
+ "type": "string_t"
},
"raw_data": {
"caption": "Raw Data",
@@ -45021,13 +50870,8 @@
},
"type_id": {
"caption": "Type ID",
- "default": 0,
"description": "The value type ID.",
"enum": {
- "-1": {
- "caption": "Other",
- "description": "The type is not mapped. See the type attribute, which may contain a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The type is unknown."
@@ -45083,177 +50927,9 @@
"description": "The registry value object describes a Windows registry value.",
"extends": "object",
"extension": "windows",
- "name": "registry_value",
+ "name": "reg_value",
"observable": 29
},
- "registry_key": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "attributes": {
- "is_system": {
- "caption": "System",
- "description": "The indication of whether the object is part of the operating system.",
- "requirement": "optional",
- "type": "boolean_t"
- },
- "modified_time": {
- "caption": "Modified Time",
- "description": "The time when the registry key was last modified.",
- "requirement": "optional",
- "type": "timestamp_t"
- },
- "path": {
- "caption": "Path",
- "description": "The full path to the registry key.",
- "requirement": "required",
- "type": "path_t"
- },
- "raw_data": {
- "caption": "Raw Data",
- "description": "The event data as received from the event source.",
- "group": "context",
- "requirement": "optional",
- "type": "json_t"
- },
- "record_id": {
- "caption": "Record ID",
- "description": "Unique identifier for the object",
- "group": "primary",
- "requirement": "required",
- "type": "string_t"
- },
- "security_descriptor": {
- "caption": "Security Descriptor",
- "description": "The security descriptor of the registry key.",
- "requirement": "optional",
- "type": "string_t"
- }
- },
- "caption": "Registry Key",
- "description": "The registry key object describes a Windows registry key.",
- "name": "registry_key"
- },
- "registry_value": {
- "@deprecated": {
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
- "since": "1.1.0"
- },
- "attributes": {
- "data": {
- "caption": "Data",
- "description": "The data of the registry value.",
- "requirement": "optional",
- "type": "json_t"
- },
- "is_default": {
- "caption": "Default Value",
- "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
- "requirement": "optional",
- "type": "boolean_t"
- },
- "is_system": {
- "caption": "System",
- "description": "The indication of whether the object is part of the operating system.",
- "requirement": "optional",
- "type": "boolean_t"
- },
- "modified_time": {
- "caption": "Modified Time",
- "description": "The time when the registry value was last modified.",
- "requirement": "optional",
- "type": "timestamp_t"
- },
- "name": {
- "caption": "Name",
- "description": "The name of the registry value.",
- "requirement": "required",
- "type": "string_t"
- },
- "path": {
- "caption": "Path",
- "description": "The full path to the registry key, where the value is located.",
- "requirement": "required",
- "type": "path_t"
- },
- "raw_data": {
- "caption": "Raw Data",
- "description": "The event data as received from the event source.",
- "group": "context",
- "requirement": "optional",
- "type": "json_t"
- },
- "record_id": {
- "caption": "Record ID",
- "description": "Unique identifier for the object",
- "group": "primary",
- "requirement": "required",
- "type": "string_t"
- },
- "type": {
- "caption": "Type",
- "description": "A string representation of the value type as specified in Registry Value Types.",
- "requirement": "optional",
- "type": "string_t"
- },
- "type_id": {
- "caption": "Type ID",
- "default": 0,
- "description": "The value type ID.",
- "enum": {
- "-1": {
- "caption": "Other",
- "description": "The type is not mapped. See the type attribute, which may contain a data source specific value."
- },
- "0": {
- "caption": "Unknown",
- "description": "The type is unknown."
- },
- "1": {
- "caption": "REG_BINARY"
- },
- "10": {
- "caption": "REG_SZ"
- },
- "2": {
- "caption": "REG_DWORD"
- },
- "3": {
- "caption": "REG_DWORD_BIG_ENDIAN"
- },
- "4": {
- "caption": "REG_EXPAND_SZ"
- },
- "5": {
- "caption": "REG_LINK"
- },
- "6": {
- "caption": "REG_MULTI_SZ"
- },
- "7": {
- "caption": "REG_NONE"
- },
- "8": {
- "caption": "REG_QWORD"
- },
- "9": {
- "caption": "REG_QWORD_LITTLE_ENDIAN"
- },
- "99": {
- "caption": "Other",
- "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
- }
- },
- "requirement": "recommended",
- "sibling": "type",
- "type": "integer_t"
- }
- },
- "caption": "Registry Value",
- "description": "The registry value object describes a Windows registry value.",
- "name": "registry_value"
- },
"related_event": {
"attributes": {
"attacks": {
@@ -45769,7 +51445,7 @@
"name": {
"caption": "Name",
"description": "The name of the resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"namespace": {
@@ -45815,7 +51491,7 @@
"uid": {
"caption": "Unique ID",
"description": "The unique identifier of the resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"unmapped": {
@@ -46310,7 +51986,7 @@
"description": "The security state is not mapped. See the state attribute, which contains data source specific values."
}
},
- "requirement": "optional",
+ "requirement": "recommended",
"sibling": "state",
"type": "integer_t"
},
@@ -46441,6 +52117,10 @@
"7": {
"caption": "Paused",
"description": "The service is paused."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The run state is not mapped. See the run_state attribute, which contains a data source specific value."
}
},
"requirement": "required",
@@ -46633,6 +52313,7 @@
"credential_uid": {
"caption": "User Credential ID",
"description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
+ "observable": 19,
"requirement": "optional",
"type": "string_t"
},
@@ -46737,7 +52418,7 @@
"attributes": {
"name": {
"caption": "Name",
- "description": "The name of the attack sub technique, as defined by ATT&CK MatrixTM. For example: Scanning IP Blocks.",
+ "description": "The name of the attack sub technique, as defined by ATT&CK\u00ae Matrix. For example: Scanning IP Blocks.",
"requirement": "optional",
"type": "string_t"
},
@@ -46757,14 +52438,14 @@
},
"src_url": {
"caption": "Source URL",
- "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.",
+ "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK\u00ae Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.",
"observable": 6,
"requirement": "optional",
"type": "url_t"
},
"uid": {
"caption": "Unique ID",
- "description": "The unique identifier of the attack sub technique, as defined by ATT&CK MatrixTM. For example: T1595.001.",
+ "description": "The unique identifier of the attack sub technique, as defined by ATT&CK\u00ae Matrix. For example: T1595.001.",
"requirement": "recommended",
"type": "string_t"
},
@@ -46776,14 +52457,14 @@
"type": "unmapped"
}
},
- "caption": "Sub Technique",
+ "caption": "MITRE ATT&CK\u00ae Sub Technique",
"constraints": {
"at_least_one": [
"name",
"uid"
]
},
- "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The MITRE ATT&CK\u00ae Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"extends": "_entity",
"name": "sub_technique"
},
@@ -46869,7 +52550,7 @@
"attributes": {
"name": {
"caption": "Name",
- "description": "The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: Reconnaissance.",
+ "description": "The tactic name that is associated with the attack technique, as defined by ATT&CK\u00ae Matrix. For example: Reconnaissance.",
"requirement": "optional",
"type": "string_t"
},
@@ -46889,14 +52570,14 @@
},
"src_url": {
"caption": "Source URL",
- "description": "The versioned permalink of the attack tactic, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.",
+ "description": "The versioned permalink of the attack tactic, as defined by ATT&CK\u00ae Matrix. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.",
"observable": 6,
"requirement": "optional",
"type": "url_t"
},
"uid": {
"caption": "Unique ID",
- "description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: TA0043.",
+ "description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK\u00ae Matrix. For example: TA0043.",
"requirement": "recommended",
"type": "string_t"
},
@@ -46908,14 +52589,14 @@
"type": "unmapped"
}
},
- "caption": "Tactic",
+ "caption": "MITRE ATT&CK\u00ae Tactic",
"constraints": {
"at_least_one": [
"name",
"uid"
]
},
- "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The MITRE ATT&CK\u00ae Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"extends": "_entity",
"name": "tactic"
},
@@ -46923,7 +52604,7 @@
"attributes": {
"name": {
"caption": "Name",
- "description": "The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Active Scanning.",
+ "description": "The name of the attack technique, as defined by ATT&CK\u00ae Matrix. For example: Active Scanning.",
"requirement": "recommended",
"type": "string_t"
},
@@ -46943,14 +52624,14 @@
},
"src_url": {
"caption": "Source URL",
- "description": "The versioned permalink of the attack technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.",
+ "description": "The versioned permalink of the attack technique, as defined by ATT&CK\u00ae Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.",
"observable": 6,
"requirement": "optional",
"type": "url_t"
},
"uid": {
"caption": "Unique ID",
- "description": "The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1595.",
+ "description": "The unique identifier of the attack technique, as defined by ATT&CK\u00ae Matrix. For example: T1595.",
"requirement": "recommended",
"type": "string_t"
},
@@ -46962,14 +52643,14 @@
"type": "unmapped"
}
},
- "caption": "Technique",
+ "caption": "MITRE ATT&CK\u00ae Technique",
"constraints": {
"at_least_one": [
"name",
"uid"
]
},
- "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "description": "The MITRE ATT&CK\u00ae Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK\u00ae Matrix.",
"extends": "_entity",
"name": "technique"
},
@@ -47051,6 +52732,225 @@
"extension": "query",
"name": "threat_intelligence"
},
+ "ticket": {
+ "attributes": {
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "src_url": {
+ "caption": "Source URL",
+ "description": "The url of a ticket in the ticket system.",
+ "observable": 6,
+ "requirement": "recommended",
+ "type": "url_t"
+ },
+ "title": {
+ "caption": "Title",
+ "description": "The title of the ticket.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type": {
+ "caption": "Ticket Type",
+ "description": "The linked ticket type determines whether the ticket is internal or in an external ticketing system.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Ticket Type ID",
+ "description": "The normalized identifier for the ticket type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Internal"
+ },
+ "2": {
+ "caption": "External"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "optional",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "Unique ticket identifier like ticket id.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Ticket",
+ "constraints": {
+ "at_least_one": [
+ "src_url",
+ "uid"
+ ]
+ },
+ "description": "The Ticket object represents ticket in the customer's systems like Salesforce, jira etc.",
+ "extends": "object",
+ "name": "ticket"
+ },
+ "timespan": {
+ "attributes": {
+ "duration": {
+ "caption": "Duration Milliseconds",
+ "description": "The duration of the time span in milliseconds.",
+ "requirement": "recommended",
+ "type": "long_t"
+ },
+ "duration_days": {
+ "caption": "Duration Days",
+ "description": "The duration of the time span in days.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_hours": {
+ "caption": "Duration Hours",
+ "description": "The duration of the time span in hours.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_mins": {
+ "caption": "Duration Minutes",
+ "description": "The duration of the time span in minutes.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_months": {
+ "caption": "Duration Months",
+ "description": "The duration of the time span in months.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_secs": {
+ "caption": "Duration Seconds",
+ "description": "The duration of the time span in seconds.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_weeks": {
+ "caption": "Duration Weeks",
+ "description": "The duration of the time span in weeks.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "duration_years": {
+ "caption": "Duration Years",
+ "description": "The duration of the time span in years.",
+ "requirement": "recommended",
+ "type": "integer_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "type": {
+ "caption": "Time Span Type",
+ "description": "The type of time span duration the object represents.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "type_id": {
+ "caption": "Time Span Type ID",
+ "description": "The normalized identifier for the time span duration type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown."
+ },
+ "1": {
+ "caption": "Milliseconds"
+ },
+ "2": {
+ "caption": "Seconds"
+ },
+ "3": {
+ "caption": "Minutes"
+ },
+ "4": {
+ "caption": "Hours"
+ },
+ "5": {
+ "caption": "Days"
+ },
+ "6": {
+ "caption": "Weeks"
+ },
+ "7": {
+ "caption": "Months"
+ },
+ "8": {
+ "caption": "Years"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "Time Span",
+ "constraints": {
+ "at_least_one": [
+ "duration",
+ "duration_days",
+ "duration_hours",
+ "duration_mins",
+ "duration_months",
+ "duration_secs",
+ "duration_weeks",
+ "duration_years"
+ ]
+ },
+ "description": "The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may may be populated since each member is of integral type. In that case type_id if present should be set to Other.",
+ "extends": "object",
+ "name": "timespan"
+ },
"tls": {
"attributes": {
"alert": {
@@ -47687,6 +53587,12 @@
"sibling": "categories",
"type": "integer_t"
},
+ "domain": {
+ "caption": "Domain",
+ "description": "The domain portion of the URL. For example: example.com in https://sub.example.com.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"hostname": {
"caption": "Hostname",
"description": "The URL host as extracted from the URL. For example: www.example.com from www.example.com/download/trouble.",
@@ -48222,6 +54128,7 @@
"credential_uid": {
"caption": "User Credential ID",
"description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
+ "observable": 19,
"requirement": "optional",
"type": "string_t"
},
@@ -48258,6 +54165,12 @@
"requirement": "optional",
"type": "group"
},
+ "has_mfa": {
+ "caption": "MFA Assigned",
+ "description": "The user has a multi-factor or secondary-factor device assigned.",
+ "requirement": "recommended",
+ "type": "boolean_t"
+ },
"last_login_time": {
"caption": "Last Login",
"description": "The last time when the user logged in.",
@@ -48293,6 +54206,12 @@
"requirement": "optional",
"type": "string_t"
},
+ "phone_number": {
+ "caption": "Telephone Number",
+ "description": "The telephone number of the user.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
@@ -48309,7 +54228,7 @@
},
"risk_level": {
"caption": "Risk Level",
- "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.",
+ "description": "The risk level, normalized to the caption of the risk_level_id value.",
"requirement": "optional",
"type": "string_t"
},
@@ -48331,6 +54250,10 @@
},
"4": {
"caption": "Critical"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The risk level is not mapped. See the risk_level attribute, which contains a data source specific value."
}
},
"requirement": "optional",
@@ -48403,6 +54326,7 @@
"uid": {
"caption": "Unique ID",
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
+ "observable": 31,
"requirement": "recommended",
"type": "string_t"
},
@@ -48663,7 +54587,7 @@
"name": {
"caption": "Name",
"description": "The name of the web resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"raw_data": {
@@ -48689,7 +54613,7 @@
"uid": {
"caption": "Unique ID",
"description": "The unique identifier of the web resource.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"unmapped": {
@@ -48721,6 +54645,143 @@
"data_classification"
]
},
+ "whois": {
+ "attributes": {
+ "autonomous_system": {
+ "caption": "Autonomous System",
+ "description": "The autonomous system information associated with a domain.",
+ "requirement": "optional",
+ "type": "autonomous_system"
+ },
+ "created_time": {
+ "caption": "Registered At",
+ "description": "When the domain was registered or WHOIS entry was created.",
+ "requirement": "recommended",
+ "type": "timestamp_t"
+ },
+ "dnssec_status": {
+ "caption": "DNSSEC Status",
+ "description": "The normalized value of dnssec_status_id.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "dnssec_status_id": {
+ "caption": "DNSSEC Status ID",
+ "description": "Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The disposition is unknown."
+ },
+ "1": {
+ "caption": "Signed",
+ "description": "The related domain enables the signing of DNS records using DNSSEC."
+ },
+ "2": {
+ "caption": "Unsigned",
+ "description": "The related domain does not enable the signing of DNS records using DNSSEC."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The DNSSEC status is not mapped. See the dnssec_status attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "dnssec_status",
+ "type": "integer_t"
+ },
+ "domain": {
+ "caption": "Domain",
+ "description": "The name of the domain.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "domain_contacts": {
+ "caption": "Domain Contacts",
+ "description": "An array of Domain Contact objects.",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "domain_contact"
+ },
+ "email_addr": {
+ "caption": "Registrar Abuse Email Address",
+ "description": "The email address for the registrar's abuse contact",
+ "observable": 5,
+ "requirement": "optional",
+ "type": "email_t"
+ },
+ "last_seen_time": {
+ "caption": "Last Updated At",
+ "description": "When the WHOIS record was last updated or seen at.",
+ "requirement": "recommended",
+ "type": "timestamp_t"
+ },
+ "name_servers": {
+ "caption": "Name Servers",
+ "description": "A collection of name servers related to a domain registration or other record.",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "phone_number": {
+ "caption": "Registrar Abuse Phone Number",
+ "description": "The phone number for the registrar's abuse contact",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "registrar": {
+ "caption": "Domain Registrar",
+ "description": "The domain registrar.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "status": {
+ "caption": "Domain Status",
+ "description": "The status of a domain and its ability to be transferred, e.g., clientTransferProhibited.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "subdomains": {
+ "caption": "Subdomains",
+ "description": "An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "subnet": {
+ "caption": "Subnet Block",
+ "description": "The IP address block (CIDR) associated with a domain.",
+ "observable": 12,
+ "requirement": "optional",
+ "type": "subnet_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ }
+ },
+ "caption": "WHOIS",
+ "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "extends": "object",
+ "name": "whois"
+ },
"win_resource": {
"attributes": {
"data": {
@@ -48752,7 +54813,7 @@
"name": {
"caption": "Name",
"description": "The name of the resource object.",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"raw_data": {
@@ -48912,7 +54973,7 @@
"uid": {
"caption": "Unique ID",
"description": "The Windows provided handle identifier for the resource object",
- "requirement": "optional",
+ "requirement": "recommended",
"type": "string_t"
},
"unmapped": {
@@ -48937,6 +54998,476 @@
"profiles": [
"data_classification"
]
+ },
+ "win_service": {
+ "attributes": {
+ "cmd_line": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Command Line",
+ "description": "The full command line used to launch the service.",
+ "observable": 13,
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "file": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "File",
+ "description": "The service file object.",
+ "observable": 24,
+ "requirement": "required",
+ "type": "file"
+ },
+ "labels": {
+ "caption": "Labels",
+ "description": "The list of labels associated with the service.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "load_order_group": {
+ "caption": "Load Order Group",
+ "description": "The name of the load ordering group of which this service is a member.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "loaded_module_name": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Loaded Module",
+ "description": "The name of the module loaded by the service.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "name": {
+ "caption": "Name",
+ "description": "The unique name of the service.",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "raw_data": {
+ "caption": "Raw Data",
+ "description": "The event data as received from the event source.",
+ "group": "context",
+ "requirement": "optional",
+ "type": "json_t"
+ },
+ "record_id": {
+ "caption": "Record ID",
+ "description": "Unique identifier for the object",
+ "group": "primary",
+ "requirement": "required",
+ "type": "string_t"
+ },
+ "run_state": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Run State",
+ "description": "The service run state.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "run_state_id": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Run State ID",
+ "description": "The service run state ID.",
+ "enum": {
+ "-1": {
+ "caption": "Other",
+ "description": "The service run state is other."
+ },
+ "0": {
+ "caption": "Unknown",
+ "description": "The service run state is unknown."
+ },
+ "1": {
+ "caption": "Stopped",
+ "description": "The service is not running."
+ },
+ "2": {
+ "caption": "Start Pending",
+ "description": "The service is starting."
+ },
+ "3": {
+ "caption": "Stop Pending",
+ "description": "The service is stopping."
+ },
+ "4": {
+ "caption": "Running",
+ "description": "The service is running."
+ },
+ "5": {
+ "caption": "Continue Pending",
+ "description": "The service continue is pending."
+ },
+ "6": {
+ "caption": "Pause Pending",
+ "description": "The service pause is pending."
+ },
+ "7": {
+ "caption": "Paused",
+ "description": "The service is paused."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The run state is not mapped. See the run_state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "required",
+ "sibling": "run_state",
+ "type": "integer_t"
+ },
+ "service_category": {
+ "caption": "Service Category",
+ "description": "The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "service_category_id": {
+ "caption": "Service Category ID",
+ "description": "The normalized identifier of the service category.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The service category is unknown."
+ },
+ "1": {
+ "caption": "Kernel Mode",
+ "description": "A kernel mode driver."
+ },
+ "2": {
+ "caption": "User Mode",
+ "description": "A user mode service."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service category is not mapped. See the service_category attribute, which contains an event source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "service_category",
+ "type": "integer_t"
+ },
+ "service_dependencies": {
+ "caption": "Service Dependencies",
+ "description": "The names of other services upon which this service has a dependency.",
+ "is_array": true,
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "service_error_control": {
+ "caption": "Service Error Control",
+ "description": "The service error control, normalized to the caption of the service_error_control_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "service_error_control_id": {
+ "caption": "Service Error Control ID",
+ "description": "The normalized identifier of the service error control.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The service error control is unknown."
+ },
+ "1": {
+ "caption": "Ignore",
+ "description": "The startup program ignores the error and continues the startup operation."
+ },
+ "2": {
+ "caption": "Normal",
+ "description": "The startup program logs the error in the event log but continues the startup operation."
+ },
+ "3": {
+ "caption": "Severe",
+ "description": "The startup program logs the error in the event log. If the last-known-good configuration is being started, the startup operation continues. Otherwise, the system is restarted with the last-known-good configuration."
+ },
+ "4": {
+ "caption": "Critical",
+ "description": "The startup program logs the error in the event log, if possible. If the last-known-good configuration is being started, the startup operation fails. Otherwise, the system is restarted with the last-known good configuration."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service error control is not mapped. See the service_error_control attribute, which contains an event source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "service_error_control",
+ "type": "integer_t"
+ },
+ "service_start_name": {
+ "caption": "Service Start Name",
+ "description": "For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "service_start_type": {
+ "caption": "Service Start Type",
+ "description": "The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "service_start_type_id": {
+ "caption": "Service Start Type ID",
+ "description": "The normalized identifier of the service start type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The service start type is unknown."
+ },
+ "1": {
+ "caption": "Boot",
+ "description": "A kernel mode driver loaded at boot."
+ },
+ "2": {
+ "caption": "System",
+ "description": "A kernel mode driver loaded during system startup."
+ },
+ "3": {
+ "caption": "Auto",
+ "description": "A user mode service started automatically during system startup."
+ },
+ "4": {
+ "caption": "Demand",
+ "description": "A user mode service started on demand when a process calls StartService."
+ },
+ "5": {
+ "caption": "Disabled",
+ "description": "A driver or service that cannot be started."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service start type is not mapped. See the service_start_type attribute, which contains an event source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "service_start_type",
+ "type": "integer_t"
+ },
+ "service_type": {
+ "caption": "Service Type",
+ "description": "The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "service_type_id": {
+ "caption": "Service Type ID",
+ "description": "The normalized identifier of the service type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The service type is unknown."
+ },
+ "1": {
+ "caption": "Kernel Driver",
+ "description": "A kernel mode driver."
+ },
+ "2": {
+ "caption": "File System Driver",
+ "description": "A kernel mode file system minifilter."
+ },
+ "3": {
+ "caption": "Own Process",
+ "description": "A user mode service that runs in its own process."
+ },
+ "4": {
+ "caption": "Share Process",
+ "description": "A user mode service that shares a process with other services."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service type is not mapped. See the service_type attribute, which contains an event source specific value."
+ }
+ },
+ "requirement": "recommended",
+ "sibling": "service_type",
+ "type": "integer_t"
+ },
+ "start_type": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Start Type",
+ "description": "The service start type.",
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "start_type_id": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Start Type ID",
+ "description": "The service start type ID.",
+ "enum": {
+ "-1": {
+ "caption": "Other",
+ "description": "The start type is not mapped. See the start_type attribute, which contains a data source specific value."
+ },
+ "0": {
+ "caption": "Unknown",
+ "description": "The startup type is unknown."
+ },
+ "1": {
+ "caption": "Auto",
+ "description": "Started automatically during system startup."
+ },
+ "10": {
+ "caption": "System Changed",
+ "description": "Started when a system item, such as a file or registry key, changes."
+ },
+ "2": {
+ "caption": "Boot",
+ "description": "Started by the system loader."
+ },
+ "3": {
+ "caption": "Demand",
+ "description": "Started on demand. For example, by the Window service control manager when a process calls the StartService function."
+ },
+ "4": {
+ "caption": "System",
+ "description": "Started by the IoInitSystem function."
+ },
+ "5": {
+ "caption": "Disabled",
+ "description": "Disabled."
+ },
+ "6": {
+ "caption": "All Logins",
+ "description": "Started on any user login."
+ },
+ "7": {
+ "caption": "Specific User Login",
+ "description": "Started when on a specific user login."
+ },
+ "8": {
+ "caption": "Interactive Login",
+ "description": "Started on interactive logins."
+ },
+ "9": {
+ "caption": "Scheduled",
+ "description": "Stared according to a schedule."
+ }
+ },
+ "requirement": "required",
+ "type": "integer_t"
+ },
+ "type_ids": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Type IDs",
+ "description": "The service type identifiers.",
+ "enum": {
+ "-1": {
+ "caption": "Other",
+ "description": "The service type is not mapped. See the types attribute, which contains a data source specific values."
+ },
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is unknown"
+ },
+ "1": {
+ "caption": "Adapter",
+ "description": "Adapter"
+ },
+ "2": {
+ "caption": "File System Driver",
+ "description": "File system driver"
+ },
+ "3": {
+ "caption": "Kernel Driver",
+ "description": "Device driver"
+ },
+ "4": {
+ "caption": "Recognized Driver",
+ "description": "Recognized Driver"
+ },
+ "5": {
+ "caption": "Own Process",
+ "description": "The application runs in its own process"
+ },
+ "6": {
+ "caption": "Shared Process",
+ "description": "The application shares a process with other services"
+ },
+ "7": {
+ "caption": "Interactive",
+ "description": "The service can interact with the desktop"
+ },
+ "8": {
+ "caption": "Other",
+ "description": "U/X, OS X service"
+ },
+ "9": {
+ "caption": "Autoload",
+ "description": "The Mac OS X Autoload Application"
+ }
+ },
+ "is_array": true,
+ "requirement": "required",
+ "type": "integer_t"
+ },
+ "types": {
+ "@deprecated": {
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0",
+ "since": "1.1.0"
+ },
+ "caption": "Types",
+ "description": "The service types.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "string_t"
+ },
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier of the service.",
+ "requirement": "recommended",
+ "type": "string_t"
+ },
+ "unmapped": {
+ "caption": "Unmapped Data",
+ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
+ "is_array": true,
+ "requirement": "optional",
+ "type": "unmapped"
+ },
+ "version": {
+ "caption": "Version",
+ "description": "The version of the service.",
+ "requirement": "recommended",
+ "type": "string_t"
+ }
+ },
+ "caption": "Windows Service",
+ "constraints": {
+ "at_least_one": [
+ "cmd_line",
+ "service_category_id",
+ "service_dependencies",
+ "service_error_control_id",
+ "service_start_name",
+ "service_start_type_id",
+ "service_type_id"
+ ]
+ },
+ "description": "The Windows Service object describes a Windows service.",
+ "extends": "service",
+ "extension": "windows",
+ "name": "win_service"
}
},
"types": {
@@ -49116,5 +55647,5 @@
"type_name": "String"
}
},
- "version": "1.2.0"
+ "version": "1.3.0"
}
diff --git a/extensions.md b/extensions.md
index bbd191446..44d2573cb 100644
--- a/extensions.md
+++ b/extensions.md
@@ -3,6 +3,8 @@ The purpose of this file is to keep track of and avoid collisions in Extension `
| Caption | Name | UID | Notes |
|-------------|----------|-----|-------|
+| US GOV | usg1 | **990** | The USG-1 schema extension |
+| Cisco | cisco | **991** | The Cisco schema extension |
| Sedara | sedara | **992** | The Sedara schema extension |
| Sciber | sciber | **993** | The Sciber schema extension |
| DataBee | databee | **994** | The Comcast DataBee schema extension |
diff --git a/extensions/archive/events/account_change.json b/extensions/archive/events/account_change.json
index e605513bd..9cce8fcd4 100644
--- a/extensions/archive/events/account_change.json
+++ b/extensions/archive/events/account_change.json
@@ -30,6 +30,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/api_activity.json b/extensions/archive/events/api_activity.json
new file mode 100644
index 000000000..570ff93a6
--- /dev/null
+++ b/extensions/archive/events/api_activity.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/application.json b/extensions/archive/events/application.json
index a89f5c57a..eb050e3e0 100644
--- a/extensions/archive/events/application.json
+++ b/extensions/archive/events/application.json
@@ -50,6 +50,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/application_lifecycle.json b/extensions/archive/events/application_lifecycle.json
new file mode 100644
index 000000000..bd44ec6f7
--- /dev/null
+++ b/extensions/archive/events/application_lifecycle.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/authentication.json b/extensions/archive/events/authentication.json
index fe4d07e0f..881474308 100644
--- a/extensions/archive/events/authentication.json
+++ b/extensions/archive/events/authentication.json
@@ -40,6 +40,12 @@
"description": "Used only by the System account, for example at system startup."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/authorize_session.json b/extensions/archive/events/authorize_session.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/authorize_session.json
+++ b/extensions/archive/events/authorize_session.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/base_event.json b/extensions/archive/events/base_event.json
index cd3ebac46..56848ed8f 100644
--- a/extensions/archive/events/base_event.json
+++ b/extensions/archive/events/base_event.json
@@ -30,6 +30,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/compliance_finding.json b/extensions/archive/events/compliance_finding.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/compliance_finding.json
+++ b/extensions/archive/events/compliance_finding.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/config_state.json b/extensions/archive/events/config_state.json
index cd3ebac46..f6e96fe32 100644
--- a/extensions/archive/events/config_state.json
+++ b/extensions/archive/events/config_state.json
@@ -30,6 +30,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/data_security_finding.json b/extensions/archive/events/data_security_finding.json
index 0f055597d..cd397f2ce 100644
--- a/extensions/archive/events/data_security_finding.json
+++ b/extensions/archive/events/data_security_finding.json
@@ -1,3 +1,23 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "disposition_id": {
+ "enum": {
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/datastore_activity.json b/extensions/archive/events/datastore_activity.json
index f7f28162b..670e9c58b 100644
--- a/extensions/archive/events/datastore_activity.json
+++ b/extensions/archive/events/datastore_activity.json
@@ -24,6 +24,25 @@
"description": "The datastore activity in the event pertains to a 'Delete' operation."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/detection_finding.json b/extensions/archive/events/detection_finding.json
index 0f055597d..6daed5649 100644
--- a/extensions/archive/events/detection_finding.json
+++ b/extensions/archive/events/detection_finding.json
@@ -1,3 +1,23 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ }
+ }
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/device_config_state_change.json b/extensions/archive/events/device_config_state_change.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/device_config_state_change.json
+++ b/extensions/archive/events/device_config_state_change.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/dhcp_activity.json b/extensions/archive/events/dhcp_activity.json
index 08917afb9..1b0476dd2 100644
--- a/extensions/archive/events/dhcp_activity.json
+++ b/extensions/archive/events/dhcp_activity.json
@@ -41,6 +41,25 @@
"description": "The event severity is not known."
}
}
+ },
+ "disposition_id": {
+ "enum": {
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ }
+ }
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/discovery.json b/extensions/archive/events/discovery.json
index 2a09bf7b6..a84e67074 100644
--- a/extensions/archive/events/discovery.json
+++ b/extensions/archive/events/discovery.json
@@ -52,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/discovery_result.json b/extensions/archive/events/discovery_result.json
index 8774e4bd9..69beab732 100644
--- a/extensions/archive/events/discovery_result.json
+++ b/extensions/archive/events/discovery_result.json
@@ -75,6 +75,12 @@
"description": "The target was found."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/dns_activity.json b/extensions/archive/events/dns_activity.json
index ac632a0b3..d84b2bc3e 100644
--- a/extensions/archive/events/dns_activity.json
+++ b/extensions/archive/events/dns_activity.json
@@ -34,6 +34,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/email_activity.json b/extensions/archive/events/email_activity.json
index aeb33ba41..831075485 100644
--- a/extensions/archive/events/email_activity.json
+++ b/extensions/archive/events/email_activity.json
@@ -70,6 +70,15 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
}
}
},
@@ -79,6 +88,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/email_delivery_activity.json b/extensions/archive/events/email_delivery_activity.json
index fea8adde0..a2531652e 100644
--- a/extensions/archive/events/email_delivery_activity.json
+++ b/extensions/archive/events/email_delivery_activity.json
@@ -153,4 +153,4 @@
"device"
]
}
-}
+}
\ No newline at end of file
diff --git a/extensions/archive/events/email_file_activity.json b/extensions/archive/events/email_file_activity.json
index b6cc84461..a478ce4dd 100644
--- a/extensions/archive/events/email_file_activity.json
+++ b/extensions/archive/events/email_file_activity.json
@@ -58,8 +58,23 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
},
"associations": {
diff --git a/extensions/archive/events/email_url_activity.json b/extensions/archive/events/email_url_activity.json
index 0477fd3d5..303939607 100644
--- a/extensions/archive/events/email_url_activity.json
+++ b/extensions/archive/events/email_url_activity.json
@@ -59,6 +59,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -68,6 +77,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/entity_management.json b/extensions/archive/events/entity_management.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/entity_management.json
+++ b/extensions/archive/events/entity_management.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/file_activity.json b/extensions/archive/events/file_activity.json
index 4e1a32470..f98ab530a 100644
--- a/extensions/archive/events/file_activity.json
+++ b/extensions/archive/events/file_activity.json
@@ -34,6 +34,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/file_hosting.json b/extensions/archive/events/file_hosting.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/file_hosting.json
+++ b/extensions/archive/events/file_hosting.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/finding.json b/extensions/archive/events/finding.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/finding.json
+++ b/extensions/archive/events/finding.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/ftp_activity.json b/extensions/archive/events/ftp_activity.json
index 2fce9d1bb..50672e21f 100644
--- a/extensions/archive/events/ftp_activity.json
+++ b/extensions/archive/events/ftp_activity.json
@@ -34,6 +34,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/group_management.json b/extensions/archive/events/group_management.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/group_management.json
+++ b/extensions/archive/events/group_management.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/http_activity.json b/extensions/archive/events/http_activity.json
index 1d0869f99..1a6de552e 100644
--- a/extensions/archive/events/http_activity.json
+++ b/extensions/archive/events/http_activity.json
@@ -34,6 +34,15 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/iam.json b/extensions/archive/events/iam.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/iam.json
+++ b/extensions/archive/events/iam.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/incident_finding.json b/extensions/archive/events/incident_finding.json
index e047cd981..ef268afd6 100644
--- a/extensions/archive/events/incident_finding.json
+++ b/extensions/archive/events/incident_finding.json
@@ -2,6 +2,12 @@
"attributes": {
"priority": {
"type": "integer_t"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/inventory_info.json b/extensions/archive/events/inventory_info.json
index cd3ebac46..56848ed8f 100644
--- a/extensions/archive/events/inventory_info.json
+++ b/extensions/archive/events/inventory_info.json
@@ -30,6 +30,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/kernel_activity.json b/extensions/archive/events/kernel_activity.json
index 978e54146..97ffd034a 100644
--- a/extensions/archive/events/kernel_activity.json
+++ b/extensions/archive/events/kernel_activity.json
@@ -34,6 +34,15 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/kernel_extension.json b/extensions/archive/events/kernel_extension.json
index 8f93846d1..f96eaca9e 100644
--- a/extensions/archive/events/kernel_extension.json
+++ b/extensions/archive/events/kernel_extension.json
@@ -34,6 +34,15 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/memory_activity.json b/extensions/archive/events/memory_activity.json
index e351b9385..2c507488c 100644
--- a/extensions/archive/events/memory_activity.json
+++ b/extensions/archive/events/memory_activity.json
@@ -34,6 +34,15 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/module_activity.json b/extensions/archive/events/module_activity.json
index 5e38d6568..4bd22421b 100644
--- a/extensions/archive/events/module_activity.json
+++ b/extensions/archive/events/module_activity.json
@@ -34,6 +34,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/network.json b/extensions/archive/events/network.json
index 0f055597d..8682a3d9d 100644
--- a/extensions/archive/events/network.json
+++ b/extensions/archive/events/network.json
@@ -1,3 +1,23 @@
{
- "attributes": {}
+ "attributes": {
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/network_activity.json b/extensions/archive/events/network_activity.json
index f9c5656c6..1572580ed 100644
--- a/extensions/archive/events/network_activity.json
+++ b/extensions/archive/events/network_activity.json
@@ -41,8 +41,23 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/network_file_activity.json b/extensions/archive/events/network_file_activity.json
index 12fd5516a..e8d2b59e0 100644
--- a/extensions/archive/events/network_file_activity.json
+++ b/extensions/archive/events/network_file_activity.json
@@ -2,6 +2,25 @@
"attributes": {
"connection_info": {
"group": "primary"
+ },
+ "disposition_id": {
+ "enum": {
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/ntp_activity.json b/extensions/archive/events/ntp_activity.json
index 0f055597d..8dcf22fb5 100644
--- a/extensions/archive/events/ntp_activity.json
+++ b/extensions/archive/events/ntp_activity.json
@@ -1,3 +1,23 @@
{
- "attributes": {}
+ "attributes": {
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/patch_state.json b/extensions/archive/events/patch_state.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/patch_state.json
+++ b/extensions/archive/events/patch_state.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/peripheral_device_query.json b/extensions/archive/events/peripheral_device_query.json
new file mode 100644
index 000000000..570ff93a6
--- /dev/null
+++ b/extensions/archive/events/peripheral_device_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/prefetch_query.json b/extensions/archive/events/prefetch_query.json
new file mode 100644
index 000000000..570ff93a6
--- /dev/null
+++ b/extensions/archive/events/prefetch_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/process_activity.json b/extensions/archive/events/process_activity.json
index e9f68f94f..e0cc5acc1 100644
--- a/extensions/archive/events/process_activity.json
+++ b/extensions/archive/events/process_activity.json
@@ -34,6 +34,15 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/rdp_activity.json b/extensions/archive/events/rdp_activity.json
index 4cd11c723..43b618949 100644
--- a/extensions/archive/events/rdp_activity.json
+++ b/extensions/archive/events/rdp_activity.json
@@ -34,6 +34,15 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/registry_key_activity.json b/extensions/archive/events/registry_key_activity.json
index 064eb6e0b..92933c434 100644
--- a/extensions/archive/events/registry_key_activity.json
+++ b/extensions/archive/events/registry_key_activity.json
@@ -45,6 +45,9 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -57,6 +60,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/registry_key_query.json b/extensions/archive/events/registry_key_query.json
new file mode 100644
index 000000000..bd44ec6f7
--- /dev/null
+++ b/extensions/archive/events/registry_key_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/registry_value_activity.json b/extensions/archive/events/registry_value_activity.json
index 1177d1d6e..e3300aff0 100644
--- a/extensions/archive/events/registry_value_activity.json
+++ b/extensions/archive/events/registry_value_activity.json
@@ -44,6 +44,9 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -56,6 +59,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/registry_value_query.json b/extensions/archive/events/registry_value_query.json
new file mode 100644
index 000000000..bd44ec6f7
--- /dev/null
+++ b/extensions/archive/events/registry_value_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/resource_activity.json b/extensions/archive/events/resource_activity.json
index 7b9350794..be1829ff3 100644
--- a/extensions/archive/events/resource_activity.json
+++ b/extensions/archive/events/resource_activity.json
@@ -45,6 +45,9 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -54,6 +57,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/scan_activity.json b/extensions/archive/events/scan_activity.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/scan_activity.json
+++ b/extensions/archive/events/scan_activity.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/scheduled_job_activity.json b/extensions/archive/events/scheduled_job_activity.json
index 10d3dcf3d..219b5e43e 100644
--- a/extensions/archive/events/scheduled_job_activity.json
+++ b/extensions/archive/events/scheduled_job_activity.json
@@ -41,11 +41,26 @@
},
"15": {
"description": "Marked with extended attributes."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
}
}
},
"actor": {
"group": "primary"
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/security_finding.json b/extensions/archive/events/security_finding.json
index 4402eba16..651ca44b4 100644
--- a/extensions/archive/events/security_finding.json
+++ b/extensions/archive/events/security_finding.json
@@ -101,6 +101,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/session_query.json b/extensions/archive/events/session_query.json
new file mode 100644
index 000000000..570ff93a6
--- /dev/null
+++ b/extensions/archive/events/session_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/smb_activity.json b/extensions/archive/events/smb_activity.json
index 014c27a1b..34fa7763c 100644
--- a/extensions/archive/events/smb_activity.json
+++ b/extensions/archive/events/smb_activity.json
@@ -34,6 +34,15 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/ssh_activity.json b/extensions/archive/events/ssh_activity.json
index 35bf4d64d..b7bc4b8b5 100644
--- a/extensions/archive/events/ssh_activity.json
+++ b/extensions/archive/events/ssh_activity.json
@@ -41,8 +41,23 @@
},
"10": {
"description": "Requires reboot to finish the operation."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/system.json b/extensions/archive/events/system.json
index f0cfacb70..d74762227 100644
--- a/extensions/archive/events/system.json
+++ b/extensions/archive/events/system.json
@@ -34,6 +34,15 @@
},
"14": {
"description": "No longer suspicious (re-scored)."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "0": {
+ "description": "The disposition was not known."
}
}
},
@@ -43,6 +52,12 @@
"description": "The event severity is not known."
}
}
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/events/tunnel_activity.json b/extensions/archive/events/tunnel_activity.json
new file mode 100644
index 000000000..e81b68e35
--- /dev/null
+++ b/extensions/archive/events/tunnel_activity.json
@@ -0,0 +1,23 @@
+{
+ "attributes": {
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ }
+ }
+ },
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/user_access.json b/extensions/archive/events/user_access.json
index 0f055597d..570ff93a6 100644
--- a/extensions/archive/events/user_access.json
+++ b/extensions/archive/events/user_access.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/user_inventory.json b/extensions/archive/events/user_inventory.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/user_inventory.json
+++ b/extensions/archive/events/user_inventory.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/user_query.json b/extensions/archive/events/user_query.json
new file mode 100644
index 000000000..bd44ec6f7
--- /dev/null
+++ b/extensions/archive/events/user_query.json
@@ -0,0 +1,10 @@
+{
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/events/vulnerability_finding.json b/extensions/archive/events/vulnerability_finding.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/vulnerability_finding.json
+++ b/extensions/archive/events/vulnerability_finding.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/web_resource_access_activity.json b/extensions/archive/events/web_resource_access_activity.json
index 0f055597d..bd44ec6f7 100644
--- a/extensions/archive/events/web_resource_access_activity.json
+++ b/extensions/archive/events/web_resource_access_activity.json
@@ -1,3 +1,10 @@
{
- "attributes": {}
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ },
+ "duration": {
+ "caption": "Duration"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/events/web_resources_activity.json b/extensions/archive/events/web_resources_activity.json
index 0f055597d..8dc77052d 100644
--- a/extensions/archive/events/web_resources_activity.json
+++ b/extensions/archive/events/web_resources_activity.json
@@ -1,3 +1,23 @@
{
- "attributes": {}
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ },
+ "disposition_id": {
+ "enum": {
+ "0": {
+ "description": "The disposition was not known."
+ },
+ "99": {
+ "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
+ },
+ "8": {
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
+ }
+ }
+ },
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
}
\ No newline at end of file
diff --git a/extensions/archive/extension.json b/extensions/archive/extension.json
index 2d936dc80..c00a510ef 100644
--- a/extensions/archive/extension.json
+++ b/extensions/archive/extension.json
@@ -3,5 +3,5 @@
"name": "archive",
"caption": "QDM Archive",
"description": "Query Data Model Archive of events and objects that changed between versions of OCSF.",
- "version": "1.2.2"
+ "version": "1.3.0"
}
\ No newline at end of file
diff --git a/extensions/archive/objects/compliance.json b/extensions/archive/objects/compliance.json
new file mode 100644
index 000000000..09487ed56
--- /dev/null
+++ b/extensions/archive/objects/compliance.json
@@ -0,0 +1,7 @@
+{
+ "attributes": {
+ "status_detail": {
+ "caption": "Status Details"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/data_security.json b/extensions/archive/objects/data_security.json
index 0fe9f4575..cb017500f 100644
--- a/extensions/archive/objects/data_security.json
+++ b/extensions/archive/objects/data_security.json
@@ -54,6 +54,13 @@
"since": "1.2.0",
"message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0"
}
+ },
+ "data_lifecycle_state_id": {
+ "enum": {
+ "0": {
+ "description": "The type is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value."
+ }
+ }
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/objects/device.json b/extensions/archive/objects/device.json
index e55eae23b..398ab1141 100644
--- a/extensions/archive/objects/device.json
+++ b/extensions/archive/objects/device.json
@@ -11,7 +11,12 @@
}
},
"type_id": {
- "default": 0
+ "default": 0,
+ "enum": {
+ "7": {
+ "description": "A IOT (Internet of Things) device."
+ }
+ }
},
"org_unit": {
"requirement": "optional",
diff --git a/extensions/archive/objects/dns_answer.json b/extensions/archive/objects/dns_answer.json
new file mode 100644
index 000000000..7263b9d99
--- /dev/null
+++ b/extensions/archive/objects/dns_answer.json
@@ -0,0 +1,11 @@
+{
+ "attributes": {
+ "flag_ids": {
+ "enum": {
+ "99": {
+ "description": "The event DNS header flag is not mapped."
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/endpoint.json b/extensions/archive/objects/endpoint.json
index ddd214e6e..13217d72d 100644
--- a/extensions/archive/objects/endpoint.json
+++ b/extensions/archive/objects/endpoint.json
@@ -9,6 +9,13 @@
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
+ },
+ "type_id": {
+ "enum": {
+ "7": {
+ "description": "A IOT (Internet of Things) device."
+ }
+ }
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/objects/firewall_rule.json b/extensions/archive/objects/firewall_rule.json
new file mode 100644
index 000000000..b71ca3567
--- /dev/null
+++ b/extensions/archive/objects/firewall_rule.json
@@ -0,0 +1,7 @@
+{
+ "attributes": {
+ "duration": {
+ "caption": "Duration"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/network_endpoint.json b/extensions/archive/objects/network_endpoint.json
index ddd214e6e..13217d72d 100644
--- a/extensions/archive/objects/network_endpoint.json
+++ b/extensions/archive/objects/network_endpoint.json
@@ -9,6 +9,13 @@
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
+ },
+ "type_id": {
+ "enum": {
+ "7": {
+ "description": "A IOT (Internet of Things) device."
+ }
+ }
}
}
}
\ No newline at end of file
diff --git a/extensions/archive/objects/network_proxy.json b/extensions/archive/objects/network_proxy.json
new file mode 100644
index 000000000..844c22ba0
--- /dev/null
+++ b/extensions/archive/objects/network_proxy.json
@@ -0,0 +1,11 @@
+{
+ "attributes": {
+ "type_id": {
+ "enum": {
+ "7": {
+ "description": "A IOT (Internet of Things) device."
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/reg_key.json b/extensions/archive/objects/reg_key.json
new file mode 100644
index 000000000..597618627
--- /dev/null
+++ b/extensions/archive/objects/reg_key.json
@@ -0,0 +1,11 @@
+{
+ "@deprecated": {
+ "since": "1.1.0",
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
+ },
+ "attributes": {
+ "path": {
+ "type": "path_t"
+ }
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/reg_value.json b/extensions/archive/objects/reg_value.json
new file mode 100644
index 000000000..894371506
--- /dev/null
+++ b/extensions/archive/objects/reg_value.json
@@ -0,0 +1,20 @@
+{
+ "attributes": {
+ "type_id": {
+ "enum": {
+ "-1": {
+ "caption": "Other",
+ "description": "The type is not mapped. See the type attribute, which may contain a data source specific value."
+ }
+ },
+ "default": 0
+ },
+ "path": {
+ "type": "path_t"
+ }
+ },
+ "@deprecated": {
+ "since": "1.1.0",
+ "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
+ }
+}
\ No newline at end of file
diff --git a/extensions/archive/objects/registry_key.json b/extensions/archive/objects/registry_key.json
deleted file mode 100644
index 865b881be..000000000
--- a/extensions/archive/objects/registry_key.json
+++ /dev/null
@@ -1,48 +0,0 @@
-{
- "caption": "Registry Key",
- "name": "registry_key",
- "description": "The registry key object describes a Windows registry key.",
- "attributes": {
- "is_system": {
- "requirement": "optional",
- "caption": "System",
- "description": "The indication of whether the object is part of the operating system.",
- "type": "boolean_t"
- },
- "modified_time": {
- "description": "The time when the registry key was last modified.",
- "requirement": "optional",
- "caption": "Modified Time",
- "type": "timestamp_t"
- },
- "path": {
- "caption": "Path",
- "description": "The full path to the registry key.",
- "requirement": "required",
- "type": "path_t"
- },
- "security_descriptor": {
- "caption": "Security Descriptor",
- "description": "The security descriptor of the registry key.",
- "requirement": "optional",
- "type": "string_t"
- },
- "raw_data": {
- "group": "context",
- "caption": "Raw Data",
- "description": "The event data as received from the event source.",
- "type": "json_t"
- },
- "record_id": {
- "description": "Unique identifier for the object",
- "group": "primary",
- "requirement": "required",
- "caption": "Record ID",
- "type": "string_t"
- }
- },
- "@deprecated": {
- "since": "1.1.0",
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
- }
-}
\ No newline at end of file
diff --git a/extensions/archive/objects/registry_value.json b/extensions/archive/objects/registry_value.json
deleted file mode 100644
index ea5e76104..000000000
--- a/extensions/archive/objects/registry_value.json
+++ /dev/null
@@ -1,114 +0,0 @@
-{
- "caption": "Registry Value",
- "description": "The registry value object describes a Windows registry value.",
- "name": "registry_value",
- "attributes": {
- "data": {
- "description": "The data of the registry value.",
- "requirement": "optional",
- "caption": "Data",
- "type": "json_t"
- },
- "is_default": {
- "requirement": "optional",
- "caption": "Default Value",
- "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
- "type": "boolean_t"
- },
- "is_system": {
- "requirement": "optional",
- "caption": "System",
- "description": "The indication of whether the object is part of the operating system.",
- "type": "boolean_t"
- },
- "modified_time": {
- "description": "The time when the registry value was last modified.",
- "requirement": "optional",
- "caption": "Modified Time",
- "type": "timestamp_t"
- },
- "name": {
- "description": "The name of the registry value.",
- "requirement": "required",
- "caption": "Name",
- "type": "string_t"
- },
- "path": {
- "description": "The full path to the registry key, where the value is located.",
- "requirement": "required",
- "caption": "Path",
- "type": "path_t"
- },
- "type": {
- "description": "A string representation of the value type as specified in Registry Value Types.",
- "requirement": "optional",
- "caption": "Type",
- "type": "string_t"
- },
- "type_id": {
- "description": "The value type ID.",
- "enum": {
- "1": {
- "caption": "REG_BINARY"
- },
- "10": {
- "caption": "REG_SZ"
- },
- "2": {
- "caption": "REG_DWORD"
- },
- "3": {
- "caption": "REG_DWORD_BIG_ENDIAN"
- },
- "4": {
- "caption": "REG_EXPAND_SZ"
- },
- "5": {
- "caption": "REG_LINK"
- },
- "6": {
- "caption": "REG_MULTI_SZ"
- },
- "7": {
- "caption": "REG_NONE"
- },
- "8": {
- "caption": "REG_QWORD"
- },
- "9": {
- "caption": "REG_QWORD_LITTLE_ENDIAN"
- },
- "-1": {
- "caption": "Other",
- "description": "The type is not mapped. See the type attribute, which may contain a data source specific value."
- },
- "0": {
- "caption": "Unknown",
- "description": "The type is unknown."
- }
- },
- "requirement": "recommended",
- "caption": "Type ID",
- "default": 0,
- "sibling": "type",
- "type": "integer_t"
- },
- "raw_data": {
- "group": "context",
- "caption": "Raw Data",
- "description": "The event data as received from the event source.",
- "type": "json_t"
- },
- "record_id": {
- "description": "Unique identifier for the object",
- "group": "primary",
- "requirement": "required",
- "caption": "Record ID",
- "type": "string_t"
- }
- },
- "@deprecated": {
- "since": "1.1.0",
- "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
- }
-}
\ No newline at end of file
diff --git a/extensions/linux/extension.json b/extensions/linux/extension.json
index 1475cd8c5..da1e4300b 100644
--- a/extensions/linux/extension.json
+++ b/extensions/linux/extension.json
@@ -3,5 +3,5 @@
"description": "The Linux extension defines Linux specific attributes, objects and classes.",
"name": "linux",
"uid": 1,
- "version": "1.2.0"
+ "version": "1.3.0"
}
diff --git a/extensions/linux/profiles/linux_users.json b/extensions/linux/profiles/linux_users.json
index b3eb10066..3b171a5cd 100644
--- a/extensions/linux/profiles/linux_users.json
+++ b/extensions/linux/profiles/linux_users.json
@@ -1,5 +1,5 @@
{
- "caption": "Linux",
+ "caption": "Linux Users",
"description": "The attributes that Linux uses to identify user information.",
"meta": "profile",
"name": "linux_users",
diff --git a/extensions/query/extension.json b/extensions/query/extension.json
index 194672176..b0293bd9a 100644
--- a/extensions/query/extension.json
+++ b/extensions/query/extension.json
@@ -1,6 +1,6 @@
{
"caption": "Query Extension",
"name": "query",
- "version": "1.2.3",
+ "version": "1.3.0",
"uid": 101
}
diff --git a/extensions/windows/dictionary.json b/extensions/windows/dictionary.json
index 44c2a3b81..cccb44c6a 100644
--- a/extensions/windows/dictionary.json
+++ b/extensions/windows/dictionary.json
@@ -32,6 +32,171 @@
"caption": "Windows Resource",
"description": "The Windows resource object that was accessed, such as a mutant or timer.",
"type": "win_resource"
+ },
+ "load_order_group": {
+ "caption": "Load Order Group",
+ "description": "The name of the load ordering group of which this service is a member.",
+ "type": "string_t"
+ },
+ "service_category": {
+ "caption": "Service Category",
+ "description": "The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "service_category_id": {
+ "caption": "Service Category ID",
+ "description": "The normalized identifier of the service category.",
+ "sibling": "service_category",
+ "type": "integer_t",
+ "enum":{
+ "0": {
+ "caption": "Unknown",
+ "description": "The service category is unknown."
+ },
+ "1": {
+ "caption": "Kernel Mode",
+ "description": "A kernel mode driver."
+ },
+ "2": {
+ "caption": "User Mode",
+ "description": "A user mode service."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service category is not mapped. See the service_category attribute, which contains an event source specific value."
+ }
+ }
+ },
+ "service_dependencies": {
+ "caption": "Service Dependencies",
+ "description": "The names of other services upon which this service has a dependency.",
+ "type": "string_t",
+ "is_array": true
+ },
+ "service_error_control": {
+ "caption": "Service Error Control",
+ "description": "The service error control, normalized to the caption of the service_error_control_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "service_error_control_id": {
+ "caption": "Service Error Control ID",
+ "description": "The normalized identifier of the service error control.",
+ "sibling": "service_error_control",
+ "type": "integer_t",
+ "enum":{
+ "0": {
+ "caption": "Unknown",
+ "description": "The service error control is unknown."
+ },
+ "1": {
+ "caption": "Ignore",
+ "description": "The startup program ignores the error and continues the startup operation."
+ },
+ "2": {
+ "caption": "Normal",
+ "description": "The startup program logs the error in the event log but continues the startup operation."
+ },
+ "3": {
+ "caption": "Severe",
+ "description": "The startup program logs the error in the event log. If the last-known-good configuration is being started, the startup operation continues. Otherwise, the system is restarted with the last-known-good configuration."
+ },
+ "4": {
+ "caption": "Critical",
+ "description": "The startup program logs the error in the event log, if possible. If the last-known-good configuration is being started, the startup operation fails. Otherwise, the system is restarted with the last-known good configuration."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service error control is not mapped. See the service_error_control attribute, which contains an event source specific value."
+ }
+ }
+ },
+ "service_start_type": {
+ "caption": "Service Start Type",
+ "description": "The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "service_start_type_id": {
+ "caption": "Service Start Type ID",
+ "description": "The normalized identifier of the service start type.",
+ "sibling": "service_start_type",
+ "type": "integer_t",
+ "enum":{
+ "0": {
+ "caption": "Unknown",
+ "description": "The service start type is unknown."
+ },
+ "1": {
+ "caption": "Boot",
+ "description": "A kernel mode driver loaded at boot."
+ },
+ "2": {
+ "caption": "System",
+ "description": "A kernel mode driver loaded during system startup."
+ },
+ "3": {
+ "caption": "Auto",
+ "description": "A user mode service started automatically during system startup."
+ },
+ "4": {
+ "caption": "Demand",
+ "description": "A user mode service started on demand when a process calls StartService."
+ },
+ "5": {
+ "caption": "Disabled",
+ "description": "A driver or service that cannot be started."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service start type is not mapped. See the service_start_type attribute, which contains an event source specific value."
+ }
+ }
+ },
+ "service_start_name": {
+ "caption": "Service Start Name",
+ "description": "For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.",
+ "type": "string_t"
+ },
+ "service_type": {
+ "caption": "Service Type",
+ "description": "The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "service_type_id": {
+ "caption": "Service Type ID",
+ "description": "The normalized identifier of the service type.",
+ "sibling": "service_type",
+ "type": "integer_t",
+ "enum":{
+ "0": {
+ "caption": "Unknown",
+ "description": "The service type is unknown."
+ },
+ "1": {
+ "caption": "Kernel Driver",
+ "description": "A kernel mode driver."
+ },
+ "2": {
+ "caption": "File System Driver",
+ "description": "A kernel mode file system minifilter."
+ },
+ "3": {
+ "caption": "Own Process",
+ "description": "A user mode service that runs in its own process."
+ },
+ "4": {
+ "caption": "Share Process",
+ "description": "A user mode service that shares a process with other services."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The service type is not mapped. See the service_type attribute, which contains an event source specific value."
+ }
+ }
+ },
+ "win_service": {
+ "caption": "Windows Service",
+ "description": "The Windows service.",
+ "type": "win_service"
}
}
}
diff --git a/extensions/windows/events/win_service.json b/extensions/windows/events/win_service.json
new file mode 100644
index 000000000..72e272fb3
--- /dev/null
+++ b/extensions/windows/events/win_service.json
@@ -0,0 +1,44 @@
+{
+ "caption": "Windows Service Activity",
+ "description": "Windows Service Activity events report when a process interacts with the Service Control Manager.",
+ "extends": "system",
+ "name": "win_service_activity",
+ "uid": 4,
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Create",
+ "description": "A service is created, for example by calling CreateService. Refer to the win_service attribute for details."
+ },
+ "2": {
+ "caption": "Reconfigure",
+ "description": "A service is reconfigured, for example by calling ChangeServiceConfig or ChangeServiceConfig2. Refer to the win_service attribute for details."
+ },
+ "3": {
+ "caption": "Start",
+ "description": "A stopped service is started, for example by calling StartService. Refer to the service attribute for details."
+ },
+ "4": {
+ "caption": "Stop",
+ "description": "A running or paused service is stopped, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
+ },
+ "5": {
+ "caption": "Pause",
+ "description": "A running service is paused, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
+ },
+ "6": {
+ "caption": "Continue",
+ "description": "A paused service is continued, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details."
+ },
+ "7": {
+ "caption": "Delete",
+ "description": "A service is deleted, for example by calling DeleteService. Refer to the win_service attribute for details."
+ }
+ }
+ },
+ "win_service": {
+ "requirement": "required"
+ }
+ }
+}
diff --git a/extensions/windows/extension.json b/extensions/windows/extension.json
index a2ba9dacd..d6d03ba47 100644
--- a/extensions/windows/extension.json
+++ b/extensions/windows/extension.json
@@ -3,5 +3,5 @@
"description": "The Windows extension defines Windows specific attributes, objects and classes.",
"name": "win",
"uid": 2,
- "version": "1.2.0"
+ "version": "1.3.0"
}
diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json
new file mode 100644
index 000000000..9b4dff146
--- /dev/null
+++ b/extensions/windows/objects/evidences.json
@@ -0,0 +1,42 @@
+{
+ "caption": "Windows Evidence Artifacts",
+ "description": "Extends the evidences object to add Windows specific fields",
+ "extends": "evidences",
+ "attributes": {
+ "reg_key": {
+ "description": "Describes details about the registry key that triggered the detection.",
+ "requirement": "recommended"
+ },
+ "reg_value": {
+ "description": "Describes details about the registry value that triggered the detection.",
+ "requirement": "recommended"
+ },
+ "win_service": {
+ "description": "Describes details about the Windows service that triggered the detection.",
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "actor",
+ "api",
+ "connection_info",
+ "data",
+ "database",
+ "databucket",
+ "device",
+ "dst_endpoint",
+ "email",
+ "file",
+ "process",
+ "query",
+ "src_endpoint",
+ "url",
+ "user",
+ "job",
+ "reg_key",
+ "reg_value",
+ "win_service"
+ ]
+ }
+}
diff --git a/extensions/windows/objects/win_resource.json b/extensions/windows/objects/win_resource.json
index 001c8d5f9..20d016fa1 100644
--- a/extensions/windows/objects/win_resource.json
+++ b/extensions/windows/objects/win_resource.json
@@ -8,10 +8,12 @@
"description": "The name of the resource object."
},
"details": {
- "description": "The string detailing the attributes of the resource object."
+ "description": "The string detailing the attributes of the resource object.",
+ "requirement": "optional"
},
"svc_name": {
- "description": "The Windows service acting as the object server for the resource object, such as Security or Security Account Manager."
+ "description": "The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.",
+ "requirement": "optional"
},
"type": {
"description": "The type of the Windows resource object.",
diff --git a/extensions/windows/objects/win_service.json b/extensions/windows/objects/win_service.json
new file mode 100644
index 000000000..c66bf4ddd
--- /dev/null
+++ b/extensions/windows/objects/win_service.json
@@ -0,0 +1,61 @@
+{
+ "caption": "Windows Service",
+ "description": "The Windows Service object describes a Windows service.",
+ "extends": "service",
+ "name": "win_service",
+ "attributes": {
+ "name": {
+ "description": "The unique name of the service.",
+ "requirement": "required"
+ },
+ "cmd_line": {
+ "description": "The full command line used to launch the service.",
+ "requirement": "recommended"
+ },
+ "load_order_group": {
+ "requirement": "recommended"
+ },
+ "service_category": {
+ "requirement": "optional"
+ },
+ "service_category_id": {
+ "requirement": "recommended"
+ },
+ "service_dependencies": {
+ "requirement": "recommended"
+ },
+ "service_error_control": {
+ "requirement": "optional"
+ },
+ "service_error_control_id": {
+ "requirement": "recommended"
+ },
+ "service_start_name": {
+ "requirement": "recommended"
+ },
+ "service_start_type": {
+ "requirement": "optional"
+ },
+ "service_start_type_id": {
+ "requirement": "recommended"
+ },
+ "service_type": {
+ "requirement": "optional"
+ },
+ "service_type_id": {
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "cmd_line",
+ "service_category_id",
+ "service_dependencies",
+ "service_error_control_id",
+ "service_start_name",
+ "service_start_type_id",
+ "service_type_id"
+ ]
+ }
+}
+
diff --git a/includes/network/network_activities.json b/includes/network/network_activities.json
index c7cbbfeba..e218fbd4f 100644
--- a/includes/network/network_activities.json
+++ b/includes/network/network_activities.json
@@ -27,6 +27,10 @@
"6": {
"caption": "Traffic",
"description": "Network traffic report."
+ },
+ "7": {
+ "caption": "Listen",
+ "description": "A network endpoint began listening for new network connections."
}
}
}
diff --git a/includes/occurrence.json b/includes/occurrence.json
index 7902aa2f4..04f292c34 100644
--- a/includes/occurrence.json
+++ b/includes/occurrence.json
@@ -9,6 +9,7 @@
"requirement": "optional"
},
"duration": {
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.",
"requirement": "optional"
},
"end_time": {
diff --git a/metaschema/attribute.schema.json b/metaschema/attribute.schema.json
index 43e58d287..68c10ff8d 100644
--- a/metaschema/attribute.schema.json
+++ b/metaschema/attribute.schema.json
@@ -73,4 +73,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/metaschema/dictionary-attribute.schema.json b/metaschema/dictionary-attribute.schema.json
index d41017033..e2cf310d0 100644
--- a/metaschema/dictionary-attribute.schema.json
+++ b/metaschema/dictionary-attribute.schema.json
@@ -53,9 +53,25 @@
"type": "boolean",
"description": "A flag used when the attribute represents an array of values rather than a single value."
},
+ "suppress_checks": {
+ "type": "array",
+ "items": {
+ "type": "string",
+ "anyOf": [
+ {
+ "const": "enum_convention",
+ "description": "Suppresses the convention that every Enum type has two common values with integer value 0 for Unknown and 99 for Other."
+ },
+ {
+ "const": "sibling_convention",
+ "description": "Suppresses the convention that a sibling field for a field that has an _id suffix should be the name with the _id suffix stripped."
+ }
+ ]
+ }
+ },
"observable": {
"$ref": "observable.schema.json"
}
},
"additionalProperties": false
-}
\ No newline at end of file
+}
diff --git a/migrations/curate-qdm-1.2.3-qdm-1.3.0.log b/migrations/curate-qdm-1.2.3-qdm-1.3.0.log
new file mode 100644
index 000000000..48203a7a2
--- /dev/null
+++ b/migrations/curate-qdm-1.2.3-qdm-1.3.0.log
@@ -0,0 +1,28285 @@
+[2024-08-20 08:54 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.iam.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.application.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.system.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-20 08:54 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-20 08:54 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-20 08:54 INFO] Choosing to deprecate events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-20 08:54 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-22 17:43 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-22 17:43 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-22 17:43 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.iam.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.network.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.application.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.system.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-22 17:43 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:43 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:43 INFO] Choosing to deprecate events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:43 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-22 17:44 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-22 17:44 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-22 17:44 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-22 17:44 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:44 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:44 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:44 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-22 17:46 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-22 17:46 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-22 17:46 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:46 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:46 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:46 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-22 17:46 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-22 17:47 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-22 17:47 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-22 17:47 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:47 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:47 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:47 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-22 17:47 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-22 17:48 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-22 17:48 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-22 17:48 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-22 17:48 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-22 17:48 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-22 17:48 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-22 17:48 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-23 10:07 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-23 10:07 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-23 10:07 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-23 10:07 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:07 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-23 10:07 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:07 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-23 10:07 WARNING] Skipping empty record dictionary.types.attributes
+[2024-08-23 10:09 DEBUG] Deciding action for objects.registry_key caused by REMOVE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.registry_key.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_key
+ DEPRECATE: ?.?
+
+[2024-08-23 10:09 INFO] Choosing to update objects.registry_key after detecting 2.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.registry_value caused by REMOVE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.registry_value.
+UPDATE: 200
+PRESERVE: 0
+DEPRECATE: 20
+IGNORE: 0
+ UPDATE: objects.registry_value
+ DEPRECATE: ?.?
+
+[2024-08-23 10:09 INFO] Choosing to update objects.registry_value after detecting 2.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.web_resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.web_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.web_resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.web_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.web_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.web_resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.policy.attributes.is_applied.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.data_security.attributes.data_lifecycle_state_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.tactic.attributes.uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.tactic.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.tactic.attributes.uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.tactic.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.tactic.attributes.name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.tactic.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.tactic.attributes.name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.tactic.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.tactic.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.tactic.attributes.src_url.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.tactic.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.session.attributes.credential_uid.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.policy caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.group caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.device caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.email caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.user caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.type_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.attributes.org caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.managed_entity.constraints.at_least_one caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.resource_details.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.resource_details.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.resource_details.attributes.name.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.resource_details.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.resource_details.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.resource_details.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.malware.attributes.classification_ids.enum.99.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.malware.attributes.classifications.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.malware.attributes.classifications.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.malware.attributes.classifications.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.boot_time caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.uid_alt.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.device.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.device.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.device.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.device.attributes.name.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.type.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.device.attributes.type.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.device.attributes.type.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.device.attributes.ip.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.device.attributes.ip.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.device.attributes.ip.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cloud.attributes.project_uid.@deprecated caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cloud.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.file.attributes.ext caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.service.attributes.run_state_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.metadata.attributes.loggers.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.metadata.attributes.profiles.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.metadata.attributes.profiles.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.metadata.attributes.profiles.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.uid.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary_id.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.boundary.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.99.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.tcp_flags.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_name.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_connection_info.attributes.protocol_ver_id.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.authorization.attributes.policy.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.authorization.attributes.decision.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_proxy.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.16 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.17 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.type_id.enum.11 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.name.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.uid.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.account.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.account.attributes.name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.account.attributes.uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.account.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.account.attributes.uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.ldap_person.attributes.phone_number caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.technique.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.technique.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.technique.attributes.uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.technique.attributes.uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.technique.attributes.name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.technique.attributes.name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.technique.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.technique.attributes.src_url.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_query.attributes.opcode_id.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.dns_query.attributes.opcode_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.dns_query.attributes.opcode_id.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.certificate.attributes.is_self_signed caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.email caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.user caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.device caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.job caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.url caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.win_service caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.reg_value caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.attributes.reg_key caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.extends caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.evidences.constraints.at_least_one caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.has_mfa caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.credential_uid.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.phone_number caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.uid.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.user.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.user.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.user.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.url.attributes.domain caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.url.attributes.categories.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.url.attributes.resource_type.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.package.attributes.cpe_name caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.package.attributes.hash caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.package.attributes.vendor_name caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.package.attributes.type_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.package.attributes.type caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.attributes.tactic.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.attack.attributes.tactic.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.attack.attributes.tactic.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.attributes.sub_technique.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.attack.attributes.sub_technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.attack.attributes.sub_technique.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.attributes.tactics.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.attack.attributes.tactics.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.attack.attributes.tactics.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.attributes.technique.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.attack.attributes.technique.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.attack.attributes.technique.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.attributes.version.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.attack.attributes.version.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.attack.attributes.version.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.attack.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.security_state.attributes.state_id.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.security_state.attributes.state.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.load_balancer.attributes.ip caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.3 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.4 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.6 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.cvss.attributes.integrity_id.enum.5 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.job.attributes.run_state_id.enum.99.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.analytic.attributes.type_id.enum.4 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.digital_signature.attributes.state_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.digital_signature.attributes.state caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.logger.attributes.logged_time.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.organization.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.organization.attributes.ou_name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.organization.attributes.ou_name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.organization.attributes.ou_name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.organization.attributes.ou_uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.organization.attributes.ou_uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.organization.attributes.ou_uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.organization.attributes.name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.organization.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.organization.attributes.name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.organization.attributes.uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.organization.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.organization.attributes.uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.99.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.module.attributes.load_type_id.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.module.attributes.load_type_id.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.module.attributes.load_type_id.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.module.attributes.load_type_id.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.module.attributes.load_type.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.module.attributes.load_type.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.module.attributes.load_type.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.32 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.33 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.34 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.35 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.19 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.observable.attributes.type_id.enum.31 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects._resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects._resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects._resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects._resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects._resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects._resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.99.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.process.attributes.integrity_id.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.process.attributes.integrity.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.process.attributes.integrity.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.process.attributes.integrity.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.group.attributes.uid.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.group.attributes.name.observable caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.product.attributes.url_string.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.product.attributes.path.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.product.attributes.feature.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.kb_article.attributes.install_state caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.kb_article.attributes.avg_timespan caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.kb_article.attributes.install_state_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.enrichment.attributes.desc caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.enrichment.attributes.reputation caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.enrichment.attributes.src_url caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.enrichment.attributes.created_time caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.enrichment.attributes.short_desc caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.compliance.attributes.compliance_references caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.compliance.attributes.compliance_standards caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.compliance.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.compliance.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve objects.compliance.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.sub_technique.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.sub_technique.attributes.src_url.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.sub_technique.attributes.src_url.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.sub_technique.attributes.src_url.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.sub_technique.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.sub_technique.attributes.name.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.sub_technique.attributes.name.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.sub_technique.attributes.name.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.sub_technique.attributes.uid.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.sub_technique.attributes.uid.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.sub_technique.attributes.uid.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_answer.attributes.flags.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.0.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.dns_answer.attributes.flag_ids.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.15 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.14 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.network_endpoint.attributes.type_id.enum.7.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.firewall_rule.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.firewall_rule.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.firewall_rule.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve objects.firewall_rule.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.affected_package.attributes.type caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.affected_package.attributes.hash caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.affected_package.attributes.cpe_name caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.affected_package.attributes.vendor_name caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.affected_package.attributes.type_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_key.@deprecated caused by REMOVE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_key.name caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_key.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_key.attributes.path.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_value.attributes.type_id.enum.-1 caused by REMOVE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_value.@deprecated caused by REMOVE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_value.attributes.type_id.default caused by REMOVE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_value.attributes.path.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.reg_value.name caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for objects.win_resource.attributes.details.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.win_resource.attributes.svc_name.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for objects.win_resource.attributes.name.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.win_resource.attributes.name.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.win_resource.attributes.name.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for objects.win_resource.attributes.uid.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for objects.win_resource.attributes.uid.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update objects.win_resource.attributes.uid.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.iam.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.iam.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.iam.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.iam.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.iam.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.iam.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.iam.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.iam.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.iam.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.iam.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.iam.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.iam.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.file_result caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.file_hosting.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.file_hosting.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_hosting.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.file_hosting.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_hosting.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.file_hosting.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_hosting.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.resource_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.resource_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.resource_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.resource_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.resource_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.resource_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.resource_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery_result.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.discovery_result.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery_result.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.discovery_result.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery_result.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery_result.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.discovery_result.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery_result.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery_result.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.discovery_result.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_access.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_access.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_access.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_access.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_access.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_access.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_access.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_access.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_access.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_access.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_access.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_access.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_key_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_key_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_key_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_key_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.type_uid.enum.400707 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ssh_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ssh_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ssh_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ssh_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ssh_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ssh_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ssh_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ssh_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_value_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_value_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_value_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_value_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.detection_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.detection_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.detection_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.detection_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.detection_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.detection_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.detection_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.detection_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.detection_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dns_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dns_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dns_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.dns_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dns_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.dns_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dns_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.dns_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ntp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ntp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ntp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ntp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ntp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ntp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ntp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ntp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.activity_id.enum.9 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.type_uid.enum.100409 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.size.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.memory_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.memory_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.memory_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.memory_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.memory_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.memory_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.memory_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.inventory_info.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.inventory_info.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.inventory_info.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.inventory_info.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.inventory_info.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.inventory_info.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.inventory_info.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.inventory_info.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.inventory_info.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.inventory_info.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.type_uid.enum.400107 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.resources caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.compliance_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.compliance_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.compliance_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.compliance_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.compliance_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.compliance_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.compliance_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.scheduled_job_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.scheduled_job_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.scheduled_job_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scheduled_job_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.scheduled_job_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scheduled_job_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.$include caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.device.profile caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.patch_state.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.patch_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.patch_state.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.patch_state.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.patch_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.patch_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.patch_state.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resource_access_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.web_resource_access_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resource_access_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.web_resource_access_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.web_resource_access_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resource_access_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resource_access_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.web_resource_access_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.security_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.security_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.account_change.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.account_change.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.account_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.account_change.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.account_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.account_change.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.account_change.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.account_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.account_change.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.account_change.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.account_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.account_change.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ftp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ftp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.ftp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ftp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ftp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.ftp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.ftp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.ftp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.discovery.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.discovery.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.discovery.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.discovery.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.discovery.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.discovery.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.http_status.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.http_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.http_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.http_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.http_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.http_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.http_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.http_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.http_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.datastore_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.datastore_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.datastore_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.datastore_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.datastore_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.datastore_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.datastore_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authentication.attributes.logon_process.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.authentication.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.authentication.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authentication.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.authentication.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authentication.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authentication.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.authentication.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authentication.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authentication.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.authentication.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dhcp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dhcp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.dhcp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.dhcp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.dhcp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.dhcp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.dhcp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.1.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.25 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.5.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.27 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.12.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.18 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.23 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.8.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.4.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.21 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.22 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.9 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.16 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.3.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.19 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.11.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.17 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.24 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.2.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.6.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.13.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.7.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.26 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_delivery_activity.attributes.disposition_id.enum.20 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.web_resources_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.web_resources_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.web_resources_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.web_resources_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.web_resources_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.web_resources_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.ticket caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.incident_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.incident_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.incident_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.incident_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.incident_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.incident_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.incident_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_file_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_file_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_file_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_file_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network_file_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network_file_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network_file_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network_file_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network_file_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300413 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.9 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.6 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.10 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300412 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300405 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300406 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300409 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.12 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300411 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.11 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300408 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300410 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.5 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.13 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.activity_id.enum.8 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.type_uid.enum.300407 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.access_mask caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.access_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.entity_management.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.entity_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.entity_management.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.actor.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.entity_management.attributes.actor.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.entity_management.attributes.actor.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.entity_management.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.entity_management.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.entity_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.entity_management.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.module_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.module_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.module_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.module_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.module_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.module_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.module_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.injection_type_id.enum.3 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.process_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.process_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.process_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.process_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.process_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.process_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.process_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.group_management.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.group_management.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.group_management.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.group_management.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.group_management.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.group_management.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.group_management.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.group_management.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.group_management.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.group_management.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.group_management.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.group_management.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.rdp_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.rdp_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.rdp_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.rdp_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.rdp_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.rdp_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.rdp_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.rdp_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.network.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.network.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.network.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.network.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.kernel_extension.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.kernel_extension.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_extension.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.kernel_extension.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_extension.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.kernel_extension.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_extension.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_inventory.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_inventory.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_inventory.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_inventory.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_inventory.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_inventory.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_inventory.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.state caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level_id.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.state_id caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.security_level_id.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_level.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.prev_security_states.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.security_states.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.device_config_state_change.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.device_config_state_change.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.device_config_state_change.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.device_config_state_change.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.device_config_state_change.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.device_config_state_change.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_url_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_url_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_url_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.email_url_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.email_url_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.email_url_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.email_url_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.application.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.application.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.application.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.application.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scan_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.scan_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.scan_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scan_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scan_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.scan_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.scan_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.scan_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.scan_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.scan_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.smb_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.smb_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.smb_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.src_endpoint.requirement caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.src_endpoint.requirement.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.requirement
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.smb_activity.attributes.src_endpoint.requirement after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.smb_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.smb_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.smb_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.smb_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.config_state.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.config_state.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.config_state.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.config_state.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.config_state.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.config_state.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.config_state.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.config_state.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.config_state.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.config_state.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.config_state.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.config_state.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.resources caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.resource.@deprecated caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.vulnerability_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.vulnerability_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.vulnerability_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.vulnerability_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.vulnerability_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.vulnerability_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.base_event.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.base_event.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.base_event.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.base_event.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.base_event.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.base_event.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.base_event.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.base_event.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.kernel_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.kernel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.kernel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.kernel_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.kernel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.kernel_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.system.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.system.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.system.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.system.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.system.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.system.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.system.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.system.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.system.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level_id.enum.99 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.data_security_finding.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.resources.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.resources.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.data_security_finding.attributes.resources.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.data_security_finding.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.risk_level.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.risk_level.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.data_security_finding.attributes.risk_level.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.data_security_finding.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.data_security_finding.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.data_security_finding.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.data_security_finding.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.authorize_session.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.authorize_session.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authorize_session.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authorize_session.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.authorize_session.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authorize_session.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.authorize_session.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.authorize_session.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.authorize_session.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.authorize_session.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.prefetch_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.prefetch_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.prefetch_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.prefetch_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.prefetch_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.prefetch_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.prefetch_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.prefetch_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.prefetch_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.prefetch_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_value_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_value_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_value_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_value_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_value_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_value_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_key_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.registry_key_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_key_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.registry_key_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.registry_key_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.registry_key_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.ja4_fingerprint_list caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.requirement caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.0.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.tls.group caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.tls.group.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.tls.group
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.tunnel_activity.attributes.tls.group after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.tunnel_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.tunnel_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.8.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.tunnel_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.tunnel_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.tunnel_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.tunnel_activity.attributes.disposition_id.enum.99.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.peripheral_device_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.peripheral_device_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.peripheral_device_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.peripheral_device_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.peripheral_device_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.peripheral_device_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.peripheral_device_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.peripheral_device_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.session_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.session_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.session_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.session_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.session_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.session_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.session_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.session_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.session_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.session_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.session_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.session_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_query.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_query.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_query.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_query.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_query.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.user_query.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_query.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_query.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_query.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.user_query.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.user_query.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.user_query.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.profiles caused by UPDATE
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.api_activity.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.api_activity.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.api_activity.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.api_activity.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.api_activity.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.api_activity.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.api_activity.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.5 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.1.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600206 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600207 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.4.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.3.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600205 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.8 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.type_uid.enum.600208 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.2.description caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.osint caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.6 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.activity_id.enum.7 caused by ADD
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.status_detail.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.application_lifecycle.attributes.status_detail.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.type caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.type.
+UPDATE: 301
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.duration.type
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.application_lifecycle.attributes.duration.type after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.duration.caption caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.duration.caption.
+UPDATE: 101
+PRESERVE: 301
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.caption
+ PRESERVE: *.attributes.duration.caption
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to preserve events.application_lifecycle.attributes.duration.caption after detecting 3.
+[2024-08-23 10:09 DEBUG] Deciding action for events.application_lifecycle.attributes.status_detail.description caused by UPDATE
+[2024-08-23 10:09 DEBUG] Multiple directives possible for events.application_lifecycle.attributes.status_detail.description.
+UPDATE: 211
+PRESERVE: 0
+DEPRECATE: 121
+IGNORE: 0
+ UPDATE: *.attributes.?.description
+ DEPRECATE: ?.?.attributes.*
+
+[2024-08-23 10:09 INFO] Choosing to update events.application_lifecycle.attributes.status_detail.description after detecting 3.
+[2024-08-23 10:09 WARNING] Skipping empty record dictionary.types.attributes
diff --git a/migrations/curate-qdm-1.2.3-qdm-1.3.0.toml b/migrations/curate-qdm-1.2.3-qdm-1.3.0.toml
new file mode 100644
index 000000000..7027260d7
--- /dev/null
+++ b/migrations/curate-qdm-1.2.3-qdm-1.3.0.toml
@@ -0,0 +1,81 @@
+new_repo = "../ocsf/qdm"
+old_repo = "../ocsf/qdm-prev"
+
+log_level = "DEBUG"
+
+# Update paths
+# Any matching paths below will be updated in the schema patch. The "new"
+# version of these paths will win out over the old.
+update = [
+ "?.?.description", # The community is better at updating descriptions and captions than Query
+ "*.attributes.?.description", # The community is better at updating descriptions and captions than Query
+ "*.caption",
+ "*.constraints.?", # QDM doesn't enforce constraints
+ "*.attributes.?.requirement", # QDM doesn't enforce OCSF requirements
+ "*.attributes.observable",
+
+ "objects.registry_key", "objects.registry_key.*", "objects.registry_value.name",
+ "objects.registry_value", "objects.registry_value.*", "objects.registry_value.name",
+ "*.attributes.duration.type",
+ "*.attributes.tls.group",
+]
+
+# Preserve paths
+# Any matching paths below will be preserved in the schema patch. In other
+# words, the "old" version of the schema will be used.
+preserve = [
+ #"*.type", # Not so sure about this one...
+ #"?.?.attributes.?.enum.*", # Keep all enums by default
+ "*.@deprecated.*", # Don't update @deprecated messages
+
+ "*.attributes.status_detail.caption",
+ "*.attributes.duration.caption",
+]
+
+# Deprecate paths
+# Any matching paths below will be deprecated in the schema patch. They will
+# be preserved in the new schema, but with an @deprecated annotation.
+deprecate = [
+ #"events.email_delivery_activity.*",
+ "?.?.attributes.*", # Deprecate all attributes by default
+ "?.?", # Deprecate all removed records by default
+]
+
+# Ignore paths
+# Any matching paths below will be ignored and not included in the schema
+# patch.
+ignore = [
+ "*.$include",
+ "?.?.profiles",
+ "?.?.attributes.?.profile",
+ "?.?.extension", # This is added by Query and changes based on the order of extensions
+ "?.?.extends",
+ "?.?.uid",
+
+ # Dynamically generated schema elements
+ "objects.observable.attributes.type_id.enum.*",
+ "events.?.attributes.class_uid",
+ "events.?.attributes.class_uid.*",
+ "events.?.attributes.type_uid",
+ "events.?.attributes.type_uid.*",
+ "events.?.attributes.category_uid",
+ "events.?.attributes.category_uid.*",
+
+ "objects.reg_key.name", "objects.reg_value.name",
+]
+
+# Clarify paths
+# Any matching paths below will be flagged for clarification. The preserve and
+# order steps curation will halt if anything is flagged in a schema patch.
+#clarify = ["*.type"]
+
+# No Clarify paths
+# Any matching paths below will NOT be flagged for clarification. This list
+# overrules the clarify list above.
+#no_clarify = ["?.?.attributes.type_uid.type"]
+
+# Rename paths
+[rename]
+#"events.user_info" = "events.user_query"
+#"events.registry_key_info" = "events.registry_key_query"
+#"events.prefetch_info" = "events.prefetch_query"
diff --git a/migrations/curate.toml b/migrations/curate.toml
new file mode 100644
index 000000000..7027260d7
--- /dev/null
+++ b/migrations/curate.toml
@@ -0,0 +1,81 @@
+new_repo = "../ocsf/qdm"
+old_repo = "../ocsf/qdm-prev"
+
+log_level = "DEBUG"
+
+# Update paths
+# Any matching paths below will be updated in the schema patch. The "new"
+# version of these paths will win out over the old.
+update = [
+ "?.?.description", # The community is better at updating descriptions and captions than Query
+ "*.attributes.?.description", # The community is better at updating descriptions and captions than Query
+ "*.caption",
+ "*.constraints.?", # QDM doesn't enforce constraints
+ "*.attributes.?.requirement", # QDM doesn't enforce OCSF requirements
+ "*.attributes.observable",
+
+ "objects.registry_key", "objects.registry_key.*", "objects.registry_value.name",
+ "objects.registry_value", "objects.registry_value.*", "objects.registry_value.name",
+ "*.attributes.duration.type",
+ "*.attributes.tls.group",
+]
+
+# Preserve paths
+# Any matching paths below will be preserved in the schema patch. In other
+# words, the "old" version of the schema will be used.
+preserve = [
+ #"*.type", # Not so sure about this one...
+ #"?.?.attributes.?.enum.*", # Keep all enums by default
+ "*.@deprecated.*", # Don't update @deprecated messages
+
+ "*.attributes.status_detail.caption",
+ "*.attributes.duration.caption",
+]
+
+# Deprecate paths
+# Any matching paths below will be deprecated in the schema patch. They will
+# be preserved in the new schema, but with an @deprecated annotation.
+deprecate = [
+ #"events.email_delivery_activity.*",
+ "?.?.attributes.*", # Deprecate all attributes by default
+ "?.?", # Deprecate all removed records by default
+]
+
+# Ignore paths
+# Any matching paths below will be ignored and not included in the schema
+# patch.
+ignore = [
+ "*.$include",
+ "?.?.profiles",
+ "?.?.attributes.?.profile",
+ "?.?.extension", # This is added by Query and changes based on the order of extensions
+ "?.?.extends",
+ "?.?.uid",
+
+ # Dynamically generated schema elements
+ "objects.observable.attributes.type_id.enum.*",
+ "events.?.attributes.class_uid",
+ "events.?.attributes.class_uid.*",
+ "events.?.attributes.type_uid",
+ "events.?.attributes.type_uid.*",
+ "events.?.attributes.category_uid",
+ "events.?.attributes.category_uid.*",
+
+ "objects.reg_key.name", "objects.reg_value.name",
+]
+
+# Clarify paths
+# Any matching paths below will be flagged for clarification. The preserve and
+# order steps curation will halt if anything is flagged in a schema patch.
+#clarify = ["*.type"]
+
+# No Clarify paths
+# Any matching paths below will NOT be flagged for clarification. This list
+# overrules the clarify list above.
+#no_clarify = ["?.?.attributes.type_uid.type"]
+
+# Rename paths
+[rename]
+#"events.user_info" = "events.user_query"
+#"events.registry_key_info" = "events.registry_key_query"
+#"events.prefetch_info" = "events.prefetch_query"
diff --git a/migrations/schema-patch-qdm-1.2.3-qdm-1.3.0.pkl b/migrations/schema-patch-qdm-1.2.3-qdm-1.3.0.pkl
new file mode 100644
index 000000000..8acf0f7bf
Binary files /dev/null and b/migrations/schema-patch-qdm-1.2.3-qdm-1.3.0.pkl differ
diff --git a/objects/_resource.json b/objects/_resource.json
index e361a7b15..4554e035d 100644
--- a/objects/_resource.json
+++ b/objects/_resource.json
@@ -19,16 +19,14 @@
"requirement": "optional"
},
"name": {
- "description": "The name of the resource.",
- "requirement": "optional"
+ "description": "The name of the resource."
},
"type": {
"description": "The resource type as defined by the event source.",
"requirement": "optional"
},
"uid": {
- "description": "The unique identifier of the resource.",
- "requirement": "optional"
+ "description": "The unique identifier of the resource."
}
}
}
diff --git a/objects/account.json b/objects/account.json
index 48deb20dd..599e37d91 100644
--- a/objects/account.json
+++ b/objects/account.json
@@ -1,11 +1,12 @@
{
"caption": "Account",
- "description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application.",
+ "description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.",
"name": "account",
"extends": "_entity",
"attributes": {
"name": {
- "description": "The name of the account (e.g. GCP Account Name)."
+ "description": "The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name ).",
+ "observable": 34
},
"type": {
"caption": "Type",
@@ -53,12 +54,34 @@
},
"10": {
"caption": "AWS Account"
+ },
+ "11": {
+ "caption": "GCP Project"
+ },
+ "12": {
+ "caption": "OCI Compartment"
+ },
+ "13": {
+ "caption": "Azure Subscription"
+ },
+ "14": {
+ "caption": "Salesforce Account"
+ },
+ "15": {
+ "caption": "Google Workspace"
+ },
+ "16": {
+ "caption": "Servicenow Instance"
+ },
+ "17": {
+ "caption": "M365 Tenant"
}
},
"requirement": "recommended"
},
"uid": {
- "description": "The unique identifier of the account (e.g. AWS Account ID)."
+ "description": "The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID ).",
+ "observable": 35
},
"labels": {
"caption": "Labels",
diff --git a/objects/analytic.json b/objects/analytic.json
index c47b82ad6..ecbf50c24 100644
--- a/objects/analytic.json
+++ b/objects/analytic.json
@@ -46,6 +46,10 @@
"caption": "Statistical",
"description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making."
},
+ "4": {
+ "caption": "Learning (ML/DL)",
+ "description": "Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement."
+ },
"5": {
"caption": "Fingerprinting",
"description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities."
diff --git a/objects/attack.json b/objects/attack.json
index 598245d06..afbe27ad2 100644
--- a/objects/attack.json
+++ b/objects/attack.json
@@ -1,7 +1,7 @@
{
"caption": "MITRE ATT&CK®",
"name": "attack",
- "description": "The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK MatrixTM.",
+ "description": "The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK® Matrix.",
"extends": "object",
"attributes": {
"tactic": {
@@ -17,7 +17,7 @@
"requirement": "optional"
},
"version": {
- "description": "The ATT&CK MatrixTM version.",
+ "description": "The ATT&CK® Matrix version.",
"requirement": "recommended"
}
},
diff --git a/objects/authorization.json b/objects/authorization.json
index 349071d61..92bb27bb8 100644
--- a/objects/authorization.json
+++ b/objects/authorization.json
@@ -5,10 +5,12 @@
"name": "authorization",
"attributes": {
"decision": {
- "description": "Authorization Result/outcome, e.g. allowed, denied."
+ "description": "Authorization Result/outcome, e.g. allowed, denied.",
+ "requirement": "recommended"
},
"policy": {
- "description": "Details about the Identity/Access management policies that are applicable."
+ "description": "Details about the Identity/Access management policies that are applicable.",
+ "requirement": "optional"
}
}
}
\ No newline at end of file
diff --git a/objects/certificate.json b/objects/certificate.json
index 838d6f39a..ce8249844 100644
--- a/objects/certificate.json
+++ b/objects/certificate.json
@@ -21,6 +21,9 @@
"description": "The certificate issuer distinguished name.",
"requirement": "required"
},
+ "is_self_signed": {
+ "requirement": "recommended"
+ },
"serial_number": {
"description": "The serial number of the certificate used to create the digital signature.",
"caption": "Certificate Serial Number",
diff --git a/objects/cloud.json b/objects/cloud.json
index c43e75772..0e3e979b5 100644
--- a/objects/cloud.json
+++ b/objects/cloud.json
@@ -1,6 +1,6 @@
{
"caption": "Cloud",
- "description": "The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.",
+ "description": "The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.",
"extends": "object",
"name": "cloud",
"attributes": {
diff --git a/objects/compliance.json b/objects/compliance.json
index 5e33eeb59..7ce54506a 100644
--- a/objects/compliance.json
+++ b/objects/compliance.json
@@ -4,6 +4,12 @@
"extends": "object",
"name": "compliance",
"attributes": {
+ "compliance_references": {
+ "requirement": "optional"
+ },
+ "compliance_standards": {
+ "requirement": "optional"
+ },
"control": {
"requirement": "recommended"
},
diff --git a/objects/d3f_tactic.json b/objects/d3f_tactic.json
new file mode 100644
index 000000000..410eba9f2
--- /dev/null
+++ b/objects/d3f_tactic.json
@@ -0,0 +1,16 @@
+{
+ "caption": "MITRE D3FEND™ Tactic",
+ "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by D3FENDTM Matrix.",
+ "extends": "_entity",
+ "name": "d3f_tactic",
+ "attributes": {
+ "name": {
+ "description": "The tactic name that is associated with the defensive technique, as defined by D3FENDTM Matrix. For example: Isolate.",
+ "requirement" : "optional"
+ },
+ "src_url": {
+ "description": "The versioned permalink of the defensive tactic, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.",
+ "requirement" : "optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/d3f_technique.json b/objects/d3f_technique.json
new file mode 100644
index 000000000..75d70d243
--- /dev/null
+++ b/objects/d3f_technique.json
@@ -0,0 +1,18 @@
+{
+ "caption": "MITRE DEFEND™ Technique",
+ "description": "The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by D3FENDTM Matrix.",
+ "extends": "_entity",
+ "name": "d3f_technique",
+ "attributes": {
+ "name": {
+ "description": "The name of the defensive technique, as defined by D3FENDTM Matrix. For example: IO Port Restriction."
+ },
+ "src_url": {
+ "description": "The versioned permalink of the defensive technique, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.",
+ "requirement" : "optional"
+ },
+ "uid": {
+ "description": "The unique identifier of the defensive technique, as defined by D3FENDTM Matrix. For example: D3-IOPR."
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/d3fend.json b/objects/d3fend.json
new file mode 100644
index 000000000..fbfccf3fd
--- /dev/null
+++ b/objects/d3fend.json
@@ -0,0 +1,27 @@
+{
+ "caption": "MITRE D3FEND™",
+ "name": "d3fend",
+ "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.",
+ "extends": "object",
+ "attributes": {
+ "d3f_tactic": {
+ "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "requirement": "recommended"
+ },
+ "d3f_technique": {
+ "description": "The Defend Technique object describes the technique ID and/or name associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "requirement": "recommended"
+ },
+ "version": {
+ "description": "The D3FEND MatrixTM version.",
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "d3f_tactic",
+ "d3f_technique"
+ ]
+ }
+ }
+
\ No newline at end of file
diff --git a/objects/device.json b/objects/device.json
index d4120c325..7bf056392 100644
--- a/objects/device.json
+++ b/objects/device.json
@@ -7,6 +7,10 @@
"autoscale_uid": {
"requirement": "optional"
},
+ "boot_time": {
+ "description": "The time the system was booted.",
+ "requirement": "optional"
+ },
"created_time": {
"description": "The time when the device was known to have been created.",
"requirement": "optional"
@@ -17,7 +21,8 @@
"requirement": "optional"
},
"domain": {
- "description": "The network domain where the device resides. For example: work.example.com."
+ "description": "The network domain where the device resides. For example: work.example.com.",
+ "requirement": "optional"
},
"first_seen_time": {
"description": "The initial discovery time of the device.",
@@ -28,7 +33,8 @@
"requirement": "optional"
},
"hostname": {
- "description": "The device hostname."
+ "description": "The device hostname.",
+ "requirement": "recommended"
},
"hypervisor": {
"requirement": "optional"
@@ -41,7 +47,8 @@
"requirement": "optional"
},
"ip": {
- "description": "The device IP address, in either IPv4 or IPv6 format."
+ "description": "The device IP address, in either IPv4 or IPv6 format.",
+ "requirement": "optional"
},
"is_compliant": {
"requirement": "optional"
@@ -60,14 +67,16 @@
"requirement": "optional"
},
"location": {
- "description": "The geographical location of the device."
+ "description": "The geographical location of the device.",
+ "requirement": "optional"
},
"modified_time": {
"description": "The time when the device was last known to have been modified.",
"requirement": "optional"
},
"name": {
- "description": "The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other."
+ "description": "The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.",
+ "requirement": "recommended"
},
"type_id": {
"description": "The device type ID.",
"requirement": "required"
},
"uid": {
- "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN."
+ "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.",
+ "requirement": "recommended"
},
"uid_alt": {
- "description": "An alternate unique identifier of the device if any. For example the ActiveDirectory DN."
+ "description": "An alternate unique identifier of the device if any. For example the ActiveDirectory DN.",
+ "requirement": "optional"
}
}
}
diff --git a/objects/digital_signature.json b/objects/digital_signature.json
index 6442bfb39..438032cdf 100644
--- a/objects/digital_signature.json
+++ b/objects/digital_signature.json
@@ -48,6 +48,36 @@
},
"digest": {
"requirement": "optional"
+ },
+ "state": {
+ "description": "The digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "description": "The normalized identifier of the signature state.",
+ "enum": {
+ "1": {
+ "caption": "Valid",
+ "description": "The digital signature is valid."
+ },
+ "2": {
+ "caption": "Expired",
+ "description": "The digital signature is not valid due to expiration of certificate."
+ },
+ "3": {
+ "caption": "Revoked",
+ "description": "The digital signature is invalid due to certificate revocation."
+ },
+ "4": {
+ "caption": "Suspended",
+ "description": "The digital signature is invalid due to certificate suspension."
+ },
+ "5": {
+ "caption": "Pending",
+ "description": "The digital signature state is pending."
+ }
+ },
+ "requirement": "optional"
}
}
}
\ No newline at end of file
diff --git a/objects/dns_answer.json b/objects/dns_answer.json
index 49150aa6c..3500c1bfe 100644
--- a/objects/dns_answer.json
+++ b/objects/dns_answer.json
@@ -5,15 +5,13 @@
"name": "dns_answer",
"attributes": {
"class": {
- "description": "The class of DNS data contained in this resource record. See RFC1035. For example: IN."
+ "description": "The class of DNS data contained in this resource record. See RFC1035. For example: IN.",
+ "requirement": "recommended"
},
"flag_ids": {
"caption": "DNS Header Flags",
"description": "The list of DNS answer header flag IDs.",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Authoritative Answer"
},
@@ -31,16 +29,14 @@
},
"6": {
"caption": "Checking Disabled"
- },
- "99": {
- "caption": "Other",
- "description": "The event DNS header flag is not mapped."
}
- }
+ },
+ "requirement": "recommended"
},
"flags": {
"caption": "DNS Header Flags",
- "description": "The list of DNS answer header flags."
+ "description": "The list of DNS answer header flags.",
+ "requirement": "optional"
},
"rdata": {
"requirement": "required"
@@ -49,7 +45,8 @@
"requirement": "recommended"
},
"type": {
- "description": "The type of data contained in this resource record. See RFC1035. For example: CNAME."
+ "description": "The type of data contained in this resource record. See RFC1035. For example: CNAME.",
+ "requirement": "recommended"
}
}
}
diff --git a/objects/domain_contact.json b/objects/domain_contact.json
new file mode 100644
index 000000000..7305462c1
--- /dev/null
+++ b/objects/domain_contact.json
@@ -0,0 +1,60 @@
+{
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "extends": "object",
+ "name": "domain_contact",
+ "attributes": {
+ "type_id": {
+ "caption": "Domain Contact Type ID",
+ "description": "The normalized domain contact type ID.",
+ "requirement": "required",
+ "enum": {
+ "1": {
+ "caption": "Registrant",
+ "description": "The contact information provided is for the domain registrant."
+ },
+ "2": {
+ "caption": "Administrative",
+ "description": "The contact information provided is for the domain administrator."
+ },
+ "3": {
+ "caption": "Technical",
+ "description": "The contact information provided is for the domain technical lead."
+ },
+ "4": {
+ "caption": "Billing",
+ "description": "The contact information provided is for the domain billing lead."
+ },
+ "5": {
+ "caption": "Abuse",
+ "description": "The contact information provided is for the domain abuse contact."
+ }
+ }
+ },
+ "type": {
+ "caption": "Domain Contact Type",
+ "description": "The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source",
+ "requirement": "optional"
+ },
+ "location": {
+ "caption": "Contact Location Information",
+ "description": "Location details for the contract such as the city, state/province, country, etc.",
+ "requirement": "recommended"
+ },
+ "email_addr": {
+ "caption": "Contact Email",
+ "requirement": "recommended"
+ },
+ "phone_number": {
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The individual or organization name for the contact.",
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "The unique identifier of the contact information, typically provided in WHOIS information.",
+ "requirement": "optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/email.json b/objects/email.json
index e395a5129..25537f3e5 100644
--- a/objects/email.json
+++ b/objects/email.json
@@ -41,7 +41,8 @@
},
"subject": {
"caption": "Subject",
- "description": "The email header Subject value, as defined by RFC 5322."
+ "description": "The email header Subject value, as defined by RFC 5322.",
+ "requirement": "recommended"
},
"to": {
"requirement": "required"
diff --git a/objects/endpoint.json b/objects/endpoint.json
index 15f6b5dc6..1bc85992e 100644
--- a/objects/endpoint.json
+++ b/objects/endpoint.json
@@ -94,7 +94,7 @@
},
"7": {
"caption": "IOT",
- "description": "A IOT (Internet of Things) device."
+ "description": "An IOT (Internet of Things) device."
},
"8": {
"caption": "Browser",
@@ -111,6 +111,22 @@
"11": {
"caption": "Hub",
"description": "A networking hub."
+ },
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
}
},
"requirement": "recommended"
diff --git a/objects/enrichment.json b/objects/enrichment.json
index 47846abb2..e270aac93 100644
--- a/objects/enrichment.json
+++ b/objects/enrichment.json
@@ -4,10 +4,18 @@
"extends": "object",
"name": "enrichment",
"attributes": {
+ "created_time": {
+ "description": "The time when the enrichment data was generated.",
+ "requirement": "recommended"
+ },
"data": {
"description": "The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.",
"requirement": "required"
},
+ "desc": {
+ "description": "A long description of the enrichment data.",
+ "requirement": "optional"
+ },
"name": {
"description": "The name of the attribute to which the enriched data pertains.",
"requirement": "required"
@@ -16,10 +24,22 @@
"description": "The enrichment data provider name.",
"requirement": "recommended"
},
+ "reputation": {
+ "description": "The reputation of the enrichment data.",
+ "requirement": "optional"
+ },
+ "short_desc": {
+ "description": "A short description of the enrichment data.",
+ "requirement": "recommended"
+ },
"type": {
"description": "The enrichment type. For example: location.",
"requirement": "recommended"
},
+ "src_url": {
+ "description": "The URL of the source of the enrichment data.",
+ "requirement": "recommended"
+ },
"value": {
"description": "The value of the attribute to which the enriched data pertains.",
"requirement": "required"
diff --git a/objects/evidences.json b/objects/evidences.json
index 152a7da89..8b41cc88c 100644
--- a/objects/evidences.json
+++ b/objects/evidences.json
@@ -32,10 +32,18 @@
"description": "Describes details about the databucket associated to the activity that triggered the detection.",
"requirement": "recommended"
},
+ "device": {
+ "description": "An addressable device, computer system or host associated to the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"dst_endpoint": {
"description": "Describes details about the destination of the network activity that triggered the detection.",
"requirement": "recommended"
},
+ "email": {
+ "description": "The email object associated to the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"file": {
"description": "Describes details about the file associated to the activity that triggered the detection.",
"requirement": "recommended"
@@ -51,6 +59,18 @@
"src_endpoint": {
"description": "Describes details about the source of the network activity that triggered the detection.",
"requirement": "recommended"
+ },
+ "url": {
+ "description": "The URL object that pertains to the event or object associated to the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
+ "user": {
+ "description": "Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
+ "job": {
+ "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
+ "requirement": "recommended"
}
},
"constraints": {
@@ -61,11 +81,16 @@
"data",
"database",
"databucket",
+ "device",
"dst_endpoint",
+ "email",
"file",
"process",
"query",
- "src_endpoint"
+ "src_endpoint",
+ "url",
+ "user",
+ "job"
]
}
}
\ No newline at end of file
diff --git a/objects/file.json b/objects/file.json
index 6674547c9..9adb00f92 100644
--- a/objects/file.json
+++ b/objects/file.json
@@ -41,6 +41,11 @@
"description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.",
"requirement": "optional"
},
+ "ext": {
+ "caption": "File Extension",
+ "description": "The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.",
+ "requirement": "recommended"
+ },
"hashes": {
"requirement": "recommended"
},
diff --git a/objects/group.json b/objects/group.json
index 0d44af547..88f6e73e4 100644
--- a/objects/group.json
+++ b/objects/group.json
@@ -13,7 +13,8 @@
"requirement": "optional"
},
"name": {
- "description": "The group name."
+ "description": "The group name.",
+ "observable": 32
},
"privileges": {
"description": "The group privileges.",
@@ -25,7 +26,8 @@
"requirement": "optional"
},
"uid": {
- "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group."
+ "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.",
+ "observable": 33
}
}
}
diff --git a/objects/http_request.json b/objects/http_request.json
index f583ab816..b93a2bc67 100644
--- a/objects/http_request.json
+++ b/objects/http_request.json
@@ -47,7 +47,7 @@
"description": "The TRACE method performs a message loop-back test along the path to the target resource."
}
},
- "type": "string_t"
+ "requirement": "recommended"
},
"length": {
"caption": "Request Length",
diff --git a/objects/ja4_fingerprint.json b/objects/ja4_fingerprint.json
new file mode 100644
index 000000000..001359fd5
--- /dev/null
+++ b/objects/ja4_fingerprint.json
@@ -0,0 +1,77 @@
+{
+ "caption": "JA4+ Fingerprint",
+ "description": "The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.",
+ "extends": "object",
+ "name": "ja4_fingerprint",
+ "attributes": {
+ "section_a": {
+ "requirement": "optional"
+ },
+ "section_b": {
+ "requirement": "optional"
+ },
+ "section_c": {
+ "requirement": "optional"
+ },
+ "section_d": {
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The JA4+ fingerprint type as defined by FoxIO, normalized to the caption of 'type_id'. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "description": "The identifier of the JA4+ fingerprint type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "JA4",
+ "description": "TLS Client Fingerprint."
+ },
+ "2": {
+ "caption": "JA4Server",
+ "description": "TLS Server Response/Session Fingerprint."
+ },
+ "3": {
+ "caption": "JA4HTTP",
+ "description": "HTTP Client Fingerprint."
+ },
+ "4": {
+ "caption": "JA4Latency",
+ "description": "Latency Measurement/Light Distance Fingerprint."
+ },
+ "5": {
+ "caption": "JA4X509",
+ "description": "X509 TLS Certificate Fingerprint."
+ },
+ "6": {
+ "caption": "JA4SSH",
+ "description": "SSH Traffic Fingerprint."
+ },
+ "7": {
+ "caption": "JA4TCP",
+ "description": "Passive TCP Client Fingerprint."
+ },
+ "8": {
+ "caption": "JA4TCPServer",
+ "description": "Passive TCP Server Fingerprint."
+ },
+ "9": {
+ "caption": "JA4TCPScan",
+ "description": "Active TCP Server Fingerprint."
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "requirement": "required"
+ },
+ "value": {
+ "description": "The JA4+ fingerprint value.",
+ "requirement": "required",
+ "type": "string_t"
+ }
+ }
+}
diff --git a/objects/kb_article.json b/objects/kb_article.json
index 229a37582..62e81453f 100644
--- a/objects/kb_article.json
+++ b/objects/kb_article.json
@@ -4,6 +4,18 @@
"extends": "object",
"name": "kb_article",
"attributes": {
+ "avg_timespan": {
+ "description": "The average time to patch.",
+ "requirement": "optional"
+ },
+ "install_state": {
+ "description": "The install state of the kb article.",
+ "requirement": "recommended"
+ },
+ "install_state_id": {
+ "description": "The normalized install state ID of the kb article.",
+ "requirement": "recommended"
+ },
"title": {
"description": "The title of the kb article.",
"requirement": "recommended"
@@ -49,4 +61,4 @@
"requirement": "optional"
}
}
-}
\ No newline at end of file
+}
diff --git a/objects/ldap_person.json b/objects/ldap_person.json
index e3bbaaf10..0749b351f 100644
--- a/objects/ldap_person.json
+++ b/objects/ldap_person.json
@@ -59,6 +59,11 @@
"office_location": {
"requirement": "optional"
},
+ "phone_number": {
+ "caption": "Telephone Number",
+ "description": "The telephone number of the user. Corresponds to the LDAP Telephone-Number CN.",
+ "requirement": "optional"
+ },
"surname": {
"requirement": "optional"
}
diff --git a/objects/load_balancer.json b/objects/load_balancer.json
index 81b0f9b94..0ca8d5c91 100644
--- a/objects/load_balancer.json
+++ b/objects/load_balancer.json
@@ -30,7 +30,11 @@
"caption": "Classification",
"description": "The request classification as defined by the load balancer.",
"requirement": "optional"
- },
+ },
+ "ip": {
+ "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint.",
+ "requirement": "optional"
+ },
"status_detail": {
"caption": "Status Detail",
"description": "The status detail contains additional status information about the load balancer distribution event.",
diff --git a/objects/logger.json b/objects/logger.json
index 1f4399e0e..6078360ab 100644
--- a/objects/logger.json
+++ b/objects/logger.json
@@ -20,7 +20,9 @@
"log_version": {
"requirement": "optional"
},
- "logged_time": {},
+ "logged_time": {
+ "requirement": "recommended"
+ },
"name": {
"description": "The name of the logging product instance.",
"requirement": "recommended"
diff --git a/objects/malware.json b/objects/malware.json
index b58df3256..ab638cde2 100644
--- a/objects/malware.json
+++ b/objects/malware.json
@@ -5,11 +5,9 @@
"name": "malware",
"attributes": {
"classification_ids": {
+ "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ",
"requirement": "required",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Adware"
},
@@ -72,13 +70,11 @@
},
"22": {
"caption": "Worm"
- },
- "99": {
- "caption": "Other"
}
}
},
"classifications": {
+ "description": "The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.",
"requirement": "optional"
},
"cves": {
diff --git a/objects/managed_entity.json b/objects/managed_entity.json
index ef26f78bc..1c2cffc8e 100644
--- a/objects/managed_entity.json
+++ b/objects/managed_entity.json
@@ -1,6 +1,6 @@
{
"caption": "Managed Entity",
- "description": "The Managed Entity object describes the type and version of an entity, such as a policy or configuration.",
+ "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.",
"extends": "_entity",
"name": "managed_entity",
"attributes": {
@@ -15,12 +15,72 @@
"description": "The managed entity type. For example: policy, user, organizational unit, device.",
"requirement": "recommended"
},
+ "type_id": {
+ "requirement": "recommended",
+ "description": "The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.",
+ "enum": {
+ "1": {
+ "caption": "Device",
+ "description": "A managed Device entity. This item corresponds to population of the device attribute."
+ },
+ "2": {
+ "caption": "User",
+ "description": "A managed User entity. This item corresponds to population of the user attribute."
+ },
+ "3": {
+ "caption": "Group",
+ "description": "A managed Group entity. This item corresponds to population of the group attribute."
+ },
+ "4": {
+ "caption": "Organization",
+ "description": "A managed Organization entity. This item corresponds to population of the org attribute."
+ },
+ "5": {
+ "caption": "Policy",
+ "description": "A managed Policy entity. This item corresponds to population of the policy attribute."
+ },
+ "6": {
+ "caption": "Email",
+ "description": "A managed Email entity. This item corresponds to population of the email attribute."
+ }
+ }
+ },
+ "device": {
+ "requirement": "recommended"
+ },
+ "email": {
+ "requirement": "recommended"
+ },
+ "group": {
+ "requirement": "recommended"
+ },
+ "org": {
+ "requirement": "recommended"
+ },
+ "policy": {
+ "requirement": "recommended",
+ "description": "Describes details of a managed policy."
+ },
"uid": {
"description": "The identifier of the managed entity."
},
+ "user": {
+ "requirement": "recommended"
+ },
"version": {
"description": "The version of the managed entity. For example: 1.2.3.",
"requirement": "recommended"
}
+ },
+ "constraints": {
+ "at_least_one": [
+ "name",
+ "uid",
+ "device",
+ "group",
+ "org",
+ "policy",
+ "user"
+ ]
}
}
\ No newline at end of file
diff --git a/objects/metadata.json b/objects/metadata.json
index a35a1a436..690054886 100644
--- a/objects/metadata.json
+++ b/objects/metadata.json
@@ -45,7 +45,9 @@
"description": "The time when the event was last modified or enriched.",
"requirement": "optional"
},
- "loggers": {},
+ "loggers": {
+ "requirement": "optional"
+ },
"original_time": {
"requirement": "recommended"
},
diff --git a/objects/module.json b/objects/module.json
index 4b5cfe96a..bedc4fa6c 100644
--- a/objects/module.json
+++ b/objects/module.json
@@ -18,11 +18,9 @@
"requirement": "optional"
},
"load_type_id": {
+ "description": "The normalized identifier for how the module was loaded in memory.",
"requirement": "required",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Standard",
"description": "A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary."
@@ -42,9 +40,6 @@
"5": {
"caption": "NonStandard Backed",
"description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation."
- },
- "99": {
- "caption": "Other"
}
}
},
diff --git a/objects/network_connection_info.json b/objects/network_connection_info.json
index 6851f31aa..2b511446c 100644
--- a/objects/network_connection_info.json
+++ b/objects/network_connection_info.json
@@ -4,21 +4,28 @@
"extends": "object",
"name": "network_connection_info",
"attributes": {
- "boundary": {},
- "boundary_id": {},
+ "boundary": {
+ "requirement": "optional"
+ },
+ "boundary_id": {
+ "requirement": "recommended"
+ },
"direction": {
"requirement": "optional"
},
"direction_id": {
"requirement": "required"
},
- "protocol_name": {},
+ "protocol_name": {
+ "requirement": "recommended"
+ },
"protocol_num": {
"requirement": "recommended"
},
"protocol_ver": {
"caption": "IP Version",
- "description": "The Internet Protocol version."
+ "description": "The Internet Protocol version.",
+ "requirement": "optional"
},
"protocol_ver_id": {
"caption": "IP Version ID",
@@ -36,15 +43,19 @@
"99": {
"caption": "Other"
}
- }
+ },
+ "requirement": "recommended"
},
"session": {
"requirement": "optional"
},
- "tcp_flags": {},
+ "tcp_flags": {
+ "requirement": "optional"
+ },
"uid": {
"caption": "Connection UID",
- "description": "The unique identifier of the connection."
+ "description": "The unique identifier of the connection.",
+ "requirement": "recommended"
}
}
}
diff --git a/objects/organization.json b/objects/organization.json
index 845455716..151a3f0ae 100644
--- a/objects/organization.json
+++ b/objects/organization.json
@@ -1,20 +1,22 @@
{
"caption": "Organization",
- "description": "The Organization object describes characteristics of an organization or company and its division if any.",
+ "description": "The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs.",
"extends": "_entity",
"name": "organization",
"attributes": {
"name": {
- "description": "The name of the organization. For example, Widget, Inc."
+ "description": "The name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, Widget, Inc. or the AWS Organization name ."
},
"ou_name": {
- "requirement": "recommended"
+ "requirement": "recommended",
+ "description": "The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU ."
},
"ou_uid": {
- "requirement": "optional"
+ "requirement": "optional",
+ "description": "The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID ."
},
"uid": {
- "description": "The unique identifier of the organization. For example, its Active Directory or AWS Org ID."
+ "description": "The unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an AWS Org ID or Oracle Cloud Domain ID ."
}
}
}
diff --git a/objects/osint.json b/objects/osint.json
new file mode 100644
index 000000000..e38f5d3f7
--- /dev/null
+++ b/objects/osint.json
@@ -0,0 +1,171 @@
+{
+ "caption":"OSINT",
+ "name":"osint",
+ "description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "extends":"_entity",
+ "attributes":{
+ "type_id":{
+ "caption":"Indicator Type ID",
+ "description":"The OSINT indicator type ID.",
+ "requirement":"required",
+ "enum":{
+ "0":{
+ "caption":"Unknown",
+ "description":"The indicator type is ambiguous or there is not a related indicator for the OSINT object."
+ },
+ "1":{
+ "caption":"IP Address",
+ "description":"An IPv4 or IPv6 address."
+ },
+ "2":{
+ "caption":"Domain",
+ "description":"A full-qualified domain name (FQDN), subdomain, or partial domain."
+ },
+ "3":{
+ "caption":"Hostname",
+ "description":"A hostname or computer name."
+ },
+ "4":{
+ "caption":"Hash",
+ "description":"Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, etc. generated from a file, malware sample, request header, or otherwise."
+ },
+ "5":{
+ "caption":"URL",
+ "description":"A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI)."
+ },
+ "6":{
+ "caption":"User Agent",
+ "description":"A User Agent typically seen in HTTP request headers."
+ },
+ "7":{
+ "caption":"Digital Certificate",
+ "description":"The serial number, fingerprint, or full content of an X.509 digital certificate."
+ },
+ "8":{
+ "caption":"Email",
+ "description":"The contents of an email or any related information to an email object."
+ },
+ "9":{
+ "caption":"Email Address",
+ "description":"An email address."
+ },
+ "10":{
+ "caption":"Vulnerability",
+ "description":"A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration."
+ },
+ "99":{
+ "caption":"Other",
+ "description":"The indicator type is not directly listed."
+ }
+ }
+ },
+ "type":{
+ "description":"The OSINT indicator type.",
+ "requirement":"optional"
+ },
+ "value":{
+ "caption":"Indicator",
+ "description":"The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
+ "requirement":"required"
+ },
+ "tlp":{
+ "caption":"Traffic Light Protocol",
+ "description":"The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+ "enum":{
+ "RED":{
+ "caption":"TLP:RED",
+ "description":"TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting."
+ },
+ "AMBER":{
+ "caption":"TLP:AMBER",
+ "description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "AMBER STRICT":{
+ "caption":"TLP:AMBER+STRICT",
+ "description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "GREEN":{
+ "caption":"TLP:GREEN",
+ "description":"TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community."
+ },
+ "CLEAR":{
+ "caption":"TLP:CLEAR",
+ "description":"TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction."
+ }
+ },
+ "requirement":"recommended",
+ "type":"string_t"
+ },
+ "confidence_id":{
+ "description":"The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
+ "requirement":"recommended"
+ },
+ "confidence":{
+ "description":"The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.",
+ "requirement":"optional"
+ },
+ "vendor_name":{
+ "description":"The vendor name of a tool which generates intelligence or provides indicators.",
+ "requirement":"optional"
+ },
+ "src_url":{
+ "description":"The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.",
+ "requirement":"optional"
+ },
+ "comment":{
+ "caption":"Analyst Comments",
+ "description":"Analyst commentary or source commentary about an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "email":{
+ "caption":"Related Email",
+ "description":"Any email information pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "email_auth":{
+ "caption":"Related Email Authentication",
+ "description":"Any email authentication information pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "kill_chain":{
+ "description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "attacks":{
+ "description":"MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "vulnerabilities":{
+ "caption":"Related Vulnerabilities",
+ "description":"Any vulnerabilities related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "signatures":{
+ "caption":"Related Digital Signatures",
+ "description":"Any digital signatures or hashes related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "subdomains":{
+ "caption":"Related Subdomains",
+ "description":"Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "answers":{
+ "caption":"Related DNS Answers",
+ "description":"Any pertinent DNS answers information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "whois":{
+ "description":"Any pertinent WHOIS information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "autonomous_system":{
+ "description":"Any pertinent autonomous system information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "location":{
+ "description":"Any pertinent geolocation information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/package.json b/objects/package.json
index 67c20f831..5c85fcac9 100644
--- a/objects/package.json
+++ b/objects/package.json
@@ -7,9 +7,16 @@
"architecture": {
"requirement": "recommended"
},
+ "cpe_name": {
+ "requirement": "optional"
+ },
"epoch": {
"requirement": "optional"
},
+ "hash": {
+ "description": "Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.",
+ "requirement": "optional"
+ },
"license": {
"description": "The software license applied to this package.",
"requirement": "optional"
@@ -24,6 +31,28 @@
"release": {
"requirement": "optional"
},
+ "vendor_name": {
+ "description": "The name of the vendor who published the software package.",
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "description": "The type of software package.",
+ "enum": {
+ "1": {
+ "caption": "Application",
+ "description": "An application software package."
+ },
+ "2": {
+ "caption": "Operating System",
+ "description": "An operating system software package."
+ }
+ },
+ "requirement": "recommended"
+ },
"version": {
"description": "The software package version.",
"requirement": "required"
diff --git a/objects/policy.json b/objects/policy.json
index 698f50a25..928e5b979 100644
--- a/objects/policy.json
+++ b/objects/policy.json
@@ -26,7 +26,7 @@
"is_applied": {
"caption": "Applied",
"description": "A determination if the content of a policy was applied to a target or request, or not.",
- "type": "boolean_t"
+ "requirement": "recommended"
}
}
}
diff --git a/objects/process.json b/objects/process.json
index bebe45c14..82a4e04ca 100644
--- a/objects/process.json
+++ b/objects/process.json
@@ -26,32 +26,6 @@
"requirement": "optional"
},
"integrity_id": {
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "caption": "Untrusted"
- },
- "2": {
- "caption": "Low"
- },
- "3": {
- "caption": "Medium"
- },
- "4": {
- "caption": "High"
- },
- "5": {
- "caption": "System"
- },
- "6": {
- "caption": "Protected"
- },
- "99": {
- "caption": "Other"
- }
- },
"requirement": "optional"
},
"lineage": {
diff --git a/objects/product.json b/objects/product.json
index 31015d346..9211d5efd 100644
--- a/objects/product.json
+++ b/objects/product.json
@@ -10,7 +10,9 @@
"$include": [
"profiles/data_classification.json"
],
- "feature": {},
+ "feature": {
+ "requirement": "optional"
+ },
"cpe_name": {
"requirement": "optional"
},
@@ -21,13 +23,15 @@
"description": "The name of the product."
},
"path": {
- "description": "The installation path of the product."
+ "description": "The installation path of the product.",
+ "requirement": "optional"
},
"uid": {
"description": "The unique identifier of the product."
},
"url_string": {
- "description": "The URL pointing towards the product."
+ "description": "The URL pointing towards the product.",
+ "requirement": "optional"
},
"vendor_name": {
"description": "The name of the vendor of the product.",
diff --git a/objects/security_state.json b/objects/security_state.json
index 18222f4bf..3ba39de28 100644
--- a/objects/security_state.json
+++ b/objects/security_state.json
@@ -7,7 +7,7 @@
"state": {
"caption": "Security State",
"description": "The security state, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.",
- "type": "string_t"
+ "requirement": "optional"
},
"state_id": {
"caption": "Security State ID",
@@ -113,7 +113,8 @@
"caption": "Compliance failure",
"description": "The entity is not compliant with the associated security policy."
}
- }
+ },
+ "requirement": "recommended"
}
}
}
diff --git a/objects/sub_technique.json b/objects/sub_technique.json
index 489e6954e..58bc3ec24 100644
--- a/objects/sub_technique.json
+++ b/objects/sub_technique.json
@@ -1,19 +1,19 @@
{
- "caption": "Sub Technique",
- "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "caption": "MITRE ATT&CK® Sub Technique",
+ "description": "The MITRE ATT&CK® Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.",
"extends": "_entity",
"name": "sub_technique",
"attributes": {
"name": {
- "description": "The name of the attack sub technique, as defined by ATT&CK MatrixTM. For example: Scanning IP Blocks.",
+ "description": "The name of the attack sub technique, as defined by ATT&CK® Matrix. For example: Scanning IP Blocks.",
"requirement" : "optional"
},
"src_url": {
- "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.",
+ "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.",
"requirement" : "optional"
},
"uid": {
- "description": "The unique identifier of the attack sub technique, as defined by ATT&CK MatrixTM. For example: T1595.001.",
+ "description": "The unique identifier of the attack sub technique, as defined by ATT&CK® Matrix. For example: T1595.001.",
"requirement" : "recommended"
}
}
diff --git a/objects/tactic.json b/objects/tactic.json
index ad11b9a3e..7ac86f3c5 100644
--- a/objects/tactic.json
+++ b/objects/tactic.json
@@ -1,19 +1,19 @@
{
- "caption": "Tactic",
- "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.",
+ "caption": "MITRE ATT&CK® Tactic",
+ "description": "The MITRE ATT&CK® Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix.",
"extends": "_entity",
"name": "tactic",
"attributes": {
"name": {
- "description": "The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: Reconnaissance.",
+ "description": "The tactic name that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: Reconnaissance.",
"requirement" : "optional"
},
"src_url": {
- "description": "The versioned permalink of the attack tactic, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.",
+ "description": "The versioned permalink of the attack tactic, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.",
"requirement" : "optional"
},
"uid": {
- "description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: TA0043.",
+ "description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: TA0043.",
"requirement" : "recommended"
}
}
diff --git a/objects/technique.json b/objects/technique.json
index b5654a174..7811b97f6 100644
--- a/objects/technique.json
+++ b/objects/technique.json
@@ -1,18 +1,18 @@
{
- "caption": "Technique",
- "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.",
+ "caption": "MITRE ATT&CK® Technique",
+ "description": "The MITRE ATT&CK® Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.",
"extends": "_entity",
"name": "technique",
"attributes": {
"name": {
- "description": "The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Active Scanning."
+ "description": "The name of the attack technique, as defined by ATT&CK® Matrix. For example: Active Scanning."
},
"src_url": {
- "description": "The versioned permalink of the attack technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.",
+ "description": "The versioned permalink of the attack technique, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.",
"requirement" : "optional"
},
"uid": {
- "description": "The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1595."
+ "description": "The unique identifier of the attack technique, as defined by ATT&CK® Matrix. For example: T1595."
}
}
}
\ No newline at end of file
diff --git a/objects/ticket.json b/objects/ticket.json
new file mode 100644
index 000000000..995834996
--- /dev/null
+++ b/objects/ticket.json
@@ -0,0 +1,50 @@
+{
+ "caption": "Ticket",
+ "name": "ticket",
+ "description": "The Ticket object represents ticket in the customer's systems like Salesforce, jira etc.",
+ "extends": "object",
+ "attributes": {
+ "src_url": {
+ "description": "The url of a ticket in the ticket system.",
+ "requirement": "recommended"
+ },
+ "uid": {
+ "description": "Unique ticket identifier like ticket id.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "caption": "Ticket Type",
+ "description": "The linked ticket type determines whether the ticket is internal or in an external ticketing system.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Ticket Type ID",
+ "description": "The normalized identifier for the ticket type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Internal"
+ },
+ "2": {
+ "caption": "External"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "requirement": "optional"
+ },
+ "title": {
+ "description": "The title of the ticket.",
+ "requirement": "optional"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "src_url",
+ "uid"
+ ]
+ }
+}
diff --git a/objects/timespan.json b/objects/timespan.json
new file mode 100644
index 000000000..044df512d
--- /dev/null
+++ b/objects/timespan.json
@@ -0,0 +1,94 @@
+{
+ "caption": "Time Span",
+ "name": "timespan",
+ "description": "The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may may be populated since each member is of integral type. In that case type_id if present should be set to Other.",
+ "extends": "object",
+ "attributes": {
+ "duration" : {
+ "description": "The duration of the time span in milliseconds.",
+ "requirement": "recommended"
+ },
+ "duration_days": {
+ "description": "The duration of the time span in days.",
+ "requirement": "recommended"
+ },
+ "duration_hours": {
+ "description": "The duration of the time span in hours.",
+ "requirement": "recommended"
+ },
+ "duration_mins": {
+ "description": "The duration of the time span in minutes.",
+ "requirement": "recommended"
+ },
+ "duration_months": {
+ "description": "The duration of the time span in months.",
+ "requirement": "recommended"
+ },
+ "duration_secs": {
+ "description": "The duration of the time span in seconds.",
+ "requirement": "recommended"
+ },
+ "duration_weeks": {
+ "description": "The duration of the time span in weeks.",
+ "requirement": "recommended"
+ },
+ "duration_years": {
+ "description": "The duration of the time span in years.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "caption": "Time Span Type",
+ "description": "The type of time span duration the object represents.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Time Span Type ID",
+ "description": "The normalized identifier for the time span duration type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Milliseconds"
+ },
+ "2": {
+ "caption": "Seconds"
+ },
+ "3": {
+ "caption": "Minutes"
+ },
+ "4": {
+ "caption": "Hours"
+ },
+ "5": {
+ "caption": "Days"
+ },
+ "6": {
+ "caption": "Weeks"
+ },
+ "7": {
+ "caption": "Months"
+ },
+ "8": {
+ "caption": "Years"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "duration",
+ "duration_days",
+ "duration_hours",
+ "duration_mins",
+ "duration_months",
+ "duration_secs",
+ "duration_weeks",
+ "duration_years"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/url.json b/objects/url.json
index 7e2aa56f5..4e875d540 100644
--- a/objects/url.json
+++ b/objects/url.json
@@ -5,10 +5,16 @@
"extends": "object",
"name": "url",
"attributes": {
- "categories": {},
+ "categories": {
+ "requirement": "optional"
+ },
"category_ids": {
"requirement": "recommended"
},
+ "domain": {
+ "description": "The domain portion of the URL. For example: example.com in https://sub.example.com.",
+ "requirement": "optional"
+ },
"hostname": {
"description": "The URL host as extracted from the URL. For example: www.example.com from www.example.com/download/trouble.",
"requirement": "recommended"
@@ -25,7 +31,8 @@
"requirement": "recommended"
},
"resource_type": {
- "description": "The context in which a resource was retrieved in a web request."
+ "description": "The context in which a resource was retrieved in a web request.",
+ "requirement": "optional"
},
"scheme": {
"requirement": "recommended"
diff --git a/objects/user.json b/objects/user.json
index bfa1d11b1..5840b42e4 100644
--- a/objects/user.json
+++ b/objects/user.json
@@ -26,6 +26,9 @@
"description": "The administrative groups to which the user belongs.",
"requirement": "optional"
},
+ "has_mfa": {
+ "requirement": "recommended"
+ },
"ldap_person": {
"description": "The additional LDAP attributes that describe a person.",
"requirement": "optional"
@@ -39,6 +42,11 @@
"description": "Organization and org unit related to the user.",
"requirement": "optional"
},
+ "phone_number": {
+ "caption": "Telephone Number",
+ "description": "The telephone number of the user.",
+ "requirement": "optional"
+ },
"risk_level": {
"requirement": "optional"
},
@@ -78,7 +86,8 @@
},
"uid": {
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
- "requirement": "recommended"
+ "requirement": "recommended",
+ "observable": 31
},
"uid_alt": {
"description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",
diff --git a/objects/whois.json b/objects/whois.json
new file mode 100644
index 000000000..703ccdfc9
--- /dev/null
+++ b/objects/whois.json
@@ -0,0 +1,63 @@
+{
+ "caption":"WHOIS",
+ "description":"The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "extends":"object",
+ "name":"whois",
+ "attributes":{
+ "autonomous_system":{
+ "description":"The autonomous system information associated with a domain.",
+ "requirement":"optional"
+ },
+ "domain_contacts":{
+ "requirement":"recommended"
+ },
+ "created_time":{
+ "caption":"Registered At",
+ "description":"When the domain was registered or WHOIS entry was created.",
+ "requirement":"recommended"
+ },
+ "dnssec_status_id":{
+ "requirement":"recommended"
+ },
+ "dnssec_status":{
+ "requirement":"optional"
+ },
+ "domain":{
+ "requirement":"recommended"
+ },
+ "email_addr":{
+ "caption":"Registrar Abuse Email Address",
+ "description":"The email address for the registrar's abuse contact",
+ "requirement":"optional"
+ },
+ "last_seen_time":{
+ "caption":"Last Updated At",
+ "requirement":"recommended",
+ "description":"When the WHOIS record was last updated or seen at."
+ },
+ "name_servers":{
+ "requirement":"recommended"
+ },
+ "phone_number":{
+ "caption":"Registrar Abuse Phone Number",
+ "description":"The phone number for the registrar's abuse contact",
+ "requirement":"optional"
+ },
+ "registrar":{
+ "requirement":"recommended"
+ },
+ "status":{
+ "caption":"Domain Status",
+ "description":"The status of a domain and its ability to be transferred, e.g., clientTransferProhibited.",
+ "requirement":"recommended"
+ },
+ "subdomains":{
+ "requirement":"optional"
+ },
+ "subnet":{
+ "caption":"Subnet Block",
+ "description":"The IP address block (CIDR) associated with a domain.",
+ "requirement":"optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/ordering.pkl b/ordering.pkl
index b5e1b412b..7e239b546 100644
Binary files a/ordering.pkl and b/ordering.pkl differ
diff --git a/profiles/osint.json b/profiles/osint.json
new file mode 100644
index 000000000..f4162cc5a
--- /dev/null
+++ b/profiles/osint.json
@@ -0,0 +1,12 @@
+{
+ "description": "The OSINT (Open Source Intelligence) profile contains one or more indicators and associated analysis and details, such as registrar (WHOIS) information and commentary about a hostname, or information about a digital certificate and its usage within a campaign. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers within the profile itself.",
+ "meta": "profile",
+ "caption": "OSINT",
+ "name": "osint",
+ "attributes": {
+ "osint": {
+ "requirement": "required",
+ "group": "primary"
+ }
+ }
+}
\ No newline at end of file
diff --git a/profiles/security_control.json b/profiles/security_control.json
index 1f3a50c3e..463210d60 100644
--- a/profiles/security_control.json
+++ b/profiles/security_control.json
@@ -41,125 +41,7 @@
"requirement": "optional"
},
"disposition_id": {
- "requirement": "recommended",
- "enum": {
- "99": {
- "caption": "Other",
- "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption."
- },
- "0": {
- "caption": "Unknown",
- "description": "The disposition was not known."
- },
- "1": {
- "caption": "Allowed",
- "description": "Granted access or allowed the action to the protected resource."
- },
- "2": {
- "caption": "Blocked",
- "description": "Denied access or blocked the action to the protected resource."
- },
- "3": {
- "caption": "Quarantined",
- "description": "A suspicious file or other content was moved to a benign location."
- },
- "4": {
- "caption": "Isolated",
- "description": "A session was isolated on the network or within a browser."
- },
- "5": {
- "caption": "Deleted",
- "description": "A file or other content was deleted."
- },
- "6": {
- "caption": "Dropped",
- "description": "The request was detected as a threat and resulted in the connection being dropped."
- },
- "7": {
- "caption": "Custom Action",
- "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details."
- },
- "8": {
- "caption": "Approved",
- "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'."
- },
- "9": {
- "caption": "Restored",
- "description": "A quarantined file or other content was restored to its original location."
- },
- "10": {
- "caption": "Exonerated",
- "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
- },
- "11": {
- "caption": "Corrected",
- "description": "A corrupt file or configuration was corrected."
- },
- "12": {
- "caption": "Partially Corrected",
- "description": "A corrupt file or configuration was partially corrected."
- },
- "13": {
- "caption": "Uncorrected",
- "description": "A corrupt file or configuration was not corrected."
- },
- "14": {
- "caption": "Delayed",
- "description": "An operation was delayed, for example if a restart was required to finish the operation."
- },
- "15": {
- "caption": "Detected",
- "description": "Suspicious activity or a policy violation was detected without further action."
- },
- "16": {
- "caption": "No Action",
- "description": "The outcome of an operation had no action taken."
- },
- "17": {
- "caption": "Logged",
- "description": "The operation or action was logged without further action."
- },
- "18": {
- "caption": "Tagged",
- "description": "A file or other entity was marked with extended attributes."
- },
- "19": {
- "caption": "Alert",
- "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
- },
- "20": {
- "caption": "Count",
- "description": "Counted the request or activity but did not determine whether to allow it or block it."
- },
- "21": {
- "caption": "Reset",
- "description": "The request was detected as a threat and resulted in the connection being reset."
- },
- "22": {
- "caption": "Captcha",
- "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
- },
- "23": {
- "caption": "Challenge",
- "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
- },
- "24": {
- "caption": "Access Revoked",
- "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class."
- },
- "25": {
- "caption": "Rejected",
- "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'."
- },
- "26": {
- "caption": "Unauthorized",
- "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail."
- },
- "27": {
- "caption": "Error",
- "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details."
- }
- }
+ "requirement": "recommended"
},
"firewall_rule": {
"requirement": "optional"
diff --git a/version.json b/version.json
index a15e91ff5..b23367d4e 100644
--- a/version.json
+++ b/version.json
@@ -1,3 +1,3 @@
{
- "version": "1.2.0"
+ "version": "1.3.0"
}