Open
Description
- store sightings in opensearch
- event activity sparkline chart
- attribute activity sparkline chart
tentative schema:
{
"@timestamp": "2025-06-11T19:00:00Z",
"attribute_uuid": "a490d0f6-a629-4476-b111-8192f9bbcd9c",
"event_uuid": "094cecb9-2bd0-4c15-97f1-21373601b364",
"sighting_type": "positive", // "positive", "false-positive", "expired"
"observer": {
"source": "sensor-01.internal.net", // where it was seen
"organization": "Acme Corp" // optional, if multiple orgs report
},
"metadata": {
"sensor_type": "zeek",
"confidence": 90,
"details": "Observed during DNS resolution",
"tags": ["dns", "automated"]
}
}