You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rocketmq.apache.org by ji...@apache.org on 2021/08/02 11:19:26 UTC
[rocketmq-streams] 24/27: delete target directory
This is an automated email from the ASF dual-hosted git repository.
jinrongtong pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/rocketmq-streams.git
commit 513deafd5159264fd5af9b8aa5f0c8637c4ef0eb
Author: xstorm1 <xs...@live.cn>
AuthorDate: Mon Aug 2 16:26:32 2021 +0800
delete target directory
---
.../rocketmq-streams-channel-rocketmq.iml | 74 -
....streams.common.channel.builder.IChannelBuilder | 1 -
.../rocketmq/streams/RocketMQChannelBuilder.class | Bin 3971 -> 0 bytes
.../apache/rocketmq/streams/RocketMQOffset.class | Bin 3628 -> 0 bytes
.../streams/queue/RocketMQMessageQueue.class | Bin 3849 -> 0 bytes
.../rocketmq/streams/sink/RocketMQSink$1.class | Bin 2040 -> 0 bytes
.../rocketmq/streams/sink/RocketMQSink.class | Bin 10455 -> 0 bytes
.../rocketmq/streams/source/RocketMQSource$1.class | Bin 3170 -> 0 bytes
.../rocketmq/streams/source/RocketMQSource.class | Bin 12146 -> 0 bytes
.../target/maven-archiver/pom.properties | 5 -
...ams-channel-rocketmq-2.0.0-SNAPSHOT-sources.jar | Bin 13382 -> 0 bytes
...tmq-streams-channel-rocketmq-2.0.0-SNAPSHOT.jar | Bin 20715 -> 0 bytes
.../rocketmq-streams-serviceloader.iml | 61 -
...ams.serviceloader.namefinder.IServiceNameGetter | 1 -
.../component/ServiceLoaderComponent.properties | 1 -
.../serviceloader/IServiceLoaderService.class | Bin 413 -> 0 bytes
.../serviceloader/ServiceLoaderComponent.class | Bin 6038 -> 0 bytes
.../namefinder/IServiceNameGetter.class | Bin 235 -> 0 bytes
.../impl/AnnotationServiceNameGetter.class | Bin 1138 -> 0 bytes
.../streams/serviceloader/utils/FileUtil.class | Bin 3352 -> 0 bytes
.../target/maven-archiver/pom.properties | 5 -
...treams-serviceloader-2.0.0-SNAPSHOT-sources.jar | Bin 8077 -> 0 bytes
...cketmq-streams-serviceloader-2.0.0-SNAPSHOT.jar | Bin 9883 -> 0 bytes
.../target/test-classes/log4j.xml | 20 -
.../serviceloader/ServiceLoaderComponentTest.class | Bin 1558 -> 0 bytes
.../rocketmq-streams-window.iml | 82 -
rocketmq-streams-window/target/classes/dipper.cs | 2892 --------------------
.../target/classes/dipper.properties | 21 -
.../streams/window/builder/WindowBuilder.class | Bin 3057 -> 0 bytes
.../streams/window/model/FunctionExecutor.class | Bin 1591 -> 0 bytes
.../streams/window/model/WindowCache.class | Bin 6328 -> 0 bytes
.../streams/window/model/WindowInstance.class | Bin 14044 -> 0 bytes
.../window/offset/IWindowMaxValueManager.class | Bin 1137 -> 0 bytes
.../streams/window/offset/WindowMaxValue.class | Bin 2113 -> 0 bytes
.../window/offset/WindowMaxValueManager.class | Bin 9412 -> 0 bytes
.../window/operator/AbstractShuffleWindow.class | Bin 4175 -> 0 bytes
.../streams/window/operator/AbstractWindow$1.class | Bin 1063 -> 0 bytes
.../streams/window/operator/AbstractWindow.class | Bin 29704 -> 0 bytes
.../streams/window/operator/impl/OverWindow.class | Bin 5387 -> 0 bytes
.../window/operator/impl/SessionWindow.class | Bin 13002 -> 0 bytes
.../window/operator/impl/WindowOperator$1.class | Bin 1944 -> 0 bytes
.../impl/WindowOperator$WindowRowOperator.class | Bin 3973 -> 0 bytes
.../window/operator/impl/WindowOperator.class | Bin 17416 -> 0 bytes
.../streams/window/operator/join/DBOperator.class | Bin 16903 -> 0 bytes
.../window/operator/join/JoinWindow$1.class | Bin 2931 -> 0 bytes
.../window/operator/join/JoinWindow$2.class | Bin 2870 -> 0 bytes
.../streams/window/operator/join/JoinWindow.class | Bin 21377 -> 0 bytes
.../streams/window/operator/join/Operator.class | Bin 2912 -> 0 bytes
.../window/shuffle/AbstractSystemChannel.class | Bin 11888 -> 0 bytes
.../ShuffleChannel$ShuffleOutputDataSource.class | Bin 5054 -> 0 bytes
.../streams/window/shuffle/ShuffleChannel.class | Bin 22485 -> 0 bytes
.../window/source/WindowRireSource$1$1.class | Bin 1524 -> 0 bytes
.../streams/window/source/WindowRireSource$1.class | Bin 2346 -> 0 bytes
.../WindowRireSource$WindowInstanceCache$1$1.class | Bin 1833 -> 0 bytes
.../WindowRireSource$WindowInstanceCache$1.class | Bin 2199 -> 0 bytes
.../WindowRireSource$WindowInstanceCache.class | Bin 1592 -> 0 bytes
.../streams/window/source/WindowRireSource.class | Bin 8081 -> 0 bytes
.../streams/window/state/WindowBaseValue.class | Bin 4083 -> 0 bytes
.../streams/window/state/impl/JoinLeftState.class | Bin 395 -> 0 bytes
.../streams/window/state/impl/JoinRightState.class | Bin 398 -> 0 bytes
.../streams/window/state/impl/JoinState.class | Bin 1943 -> 0 bytes
.../streams/window/state/impl/WindowValue$1.class | Bin 930 -> 0 bytes
.../streams/window/state/impl/WindowValue.class | Bin 23728 -> 0 bytes
.../window/storage/AbstractWindowStorage$1.class | Bin 2596 -> 0 bytes
.../window/storage/AbstractWindowStorage.class | Bin 6724 -> 0 bytes
.../streams/window/storage/ICommonStorage.class | Bin 968 -> 0 bytes
.../streams/window/storage/IKeyGenerator.class | Bin 193 -> 0 bytes
.../window/storage/IShufflePartitionManager.class | Bin 642 -> 0 bytes
.../rocketmq/streams/window/storage/IStorage.class | Bin 2875 -> 0 bytes
.../streams/window/storage/IWindowStorage.class | Bin 2282 -> 0 bytes
.../window/storage/ShufflePartitionManager.class | Bin 2851 -> 0 bytes
.../streams/window/storage/StorageManager.class | Bin 353 -> 0 bytes
.../streams/window/storage/WindowStorage$1.class | Bin 1402 -> 0 bytes
.../WindowStorage$WindowBaseValueIterator.class | Bin 980 -> 0 bytes
.../streams/window/storage/WindowStorage.class | Bin 7364 -> 0 bytes
.../streams/window/storage/db/DBStorage$1.class | Bin 1523 -> 0 bytes
.../window/storage/db/DBStorage$DBIterator.class | Bin 4299 -> 0 bytes
.../streams/window/storage/db/DBStorage.class | Bin 7161 -> 0 bytes
.../window/storage/file/FileStorage$1.class | Bin 2620 -> 0 bytes
.../streams/window/storage/file/FileStorage.class | Bin 9198 -> 0 bytes
.../rocksdb/RocksdbStorage$LocalIterator.class | Bin 3346 -> 0 bytes
.../window/storage/rocksdb/RocksdbStorage.class | Bin 11737 -> 0 bytes
.../target/maven-archiver/pom.properties | 5 -
...ketmq-streams-window-2.0.0-SNAPSHOT-sources.jar | Bin 357527 -> 0 bytes
.../rocketmq-streams-window-2.0.0-SNAPSHOT.jar | Bin 403392 -> 0 bytes
.../target/test-classes/log4j.xml | 20 -
86 files changed, 3188 deletions(-)
diff --git a/rocketmq-streams-channel-rocketmq/rocketmq-streams-channel-rocketmq.iml b/rocketmq-streams-channel-rocketmq/rocketmq-streams-channel-rocketmq.iml
deleted file mode 100644
index d0b5aa3..0000000
--- a/rocketmq-streams-channel-rocketmq/rocketmq-streams-channel-rocketmq.iml
+++ /dev/null
@@ -1,74 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
- <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
- <output url="file://$MODULE_DIR$/target/classes" />
- <output-test url="file://$MODULE_DIR$/target/test-classes" />
- <content url="file://$MODULE_DIR$">
- <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
- <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
- <excludeFolder url="file://$MODULE_DIR$/target" />
- </content>
- <orderEntry type="inheritedJdk" />
- <orderEntry type="sourceFolder" forTests="false" />
- <orderEntry type="module" module-name="rocketmq-streams-commons" />
- <orderEntry type="library" name="Maven: org.apache.commons:commons-lang3:3.11" level="project" />
- <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.27" level="project" />
- <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1" level="project" />
- <orderEntry type="library" name="Maven: logkit:logkit:1.0.1" level="project" />
- <orderEntry type="library" name="Maven: avalon-framework:avalon-framework:4.1.3" level="project" />
- <orderEntry type="library" name="Maven: javax.servlet:servlet-api:2.3" level="project" />
- <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.gson:gson:2.8.5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service-annotations:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto:auto-common:0.10" level="project" />
- <orderEntry type="library" name="Maven: com.google.guava:guava:25.1-jre" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:3.0.2" level="project" />
- <orderEntry type="library" name="Maven: org.checkerframework:checker-qual:2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.1.3" level="project" />
- <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
- <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
- <orderEntry type="library" name="Maven: com.lmax:disruptor:3.2.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:hyperscan:5.4.0-2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:linux-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:windows-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:macosx-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp-platform:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-armhf:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-ppc64le:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:macosx-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:platform:3.5.2" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:jna:3.5.2" level="project" />
- <orderEntry type="module" module-name="rocketmq-streams-serviceloader" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-client:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-common:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-acl:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-remoting:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: io.netty:netty-all:4.0.42.Final" level="project" />
- <orderEntry type="library" name="Maven: io.netty:netty-tcnative-boringssl-static:1.1.33.Fork26" level="project" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-logging:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: org.apache.rocketmq:rocketmq-srvutil:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: commons-cli:commons-cli:1.2" level="project" />
- <orderEntry type="library" name="Maven: org.yaml:snakeyaml:1.19" level="project" />
- <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.9" level="project" />
- <orderEntry type="library" scope="TEST" name="Maven: junit:junit:4.12" level="project" />
- <orderEntry type="library" scope="TEST" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
- <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.7.7" level="project" />
- <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.7" level="project" />
- <orderEntry type="library" name="Maven: org.slf4j:slf4j-log4j12:1.7.7" level="project" />
- <orderEntry type="library" name="Maven: log4j:log4j:1.2.17" level="project" />
- </component>
-</module>
\ No newline at end of file
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/META-INF/services/org.apache.rocketmq.streams.common.channel.builder.IChannelBuilder b/rocketmq-streams-channel-rocketmq/target/classes/META-INF/services/org.apache.rocketmq.streams.common.channel.builder.IChannelBuilder
deleted file mode 100644
index fb9e053..0000000
--- a/rocketmq-streams-channel-rocketmq/target/classes/META-INF/services/org.apache.rocketmq.streams.common.channel.builder.IChannelBuilder
+++ /dev/null
@@ -1 +0,0 @@
-org.apache.rocketmq.streams.RocketMQChannelBuilder
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQChannelBuilder.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQChannelBuilder.class
deleted file mode 100644
index bcd8f08..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQChannelBuilder.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQOffset.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQOffset.class
deleted file mode 100644
index b1f45cf..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/RocketMQOffset.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/queue/RocketMQMessageQueue.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/queue/RocketMQMessageQueue.class
deleted file mode 100644
index a9c8a39..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/queue/RocketMQMessageQueue.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink$1.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink$1.class
deleted file mode 100644
index b2f09df..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink$1.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink.class
deleted file mode 100644
index 12fbfb1..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/sink/RocketMQSink.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource$1.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource$1.class
deleted file mode 100644
index e9fe35c..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource$1.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource.class b/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource.class
deleted file mode 100644
index e186384..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/classes/org/apache/rocketmq/streams/source/RocketMQSource.class and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/maven-archiver/pom.properties b/rocketmq-streams-channel-rocketmq/target/maven-archiver/pom.properties
deleted file mode 100644
index a605b53..0000000
--- a/rocketmq-streams-channel-rocketmq/target/maven-archiver/pom.properties
+++ /dev/null
@@ -1,5 +0,0 @@
-#Generated by Maven
-#Fri Jul 30 11:10:37 CST 2021
-version=2.0.0-SNAPSHOT
-groupId=org.apache.rocketmq
-artifactId=rocketmq-streams-channel-rocketmq
diff --git a/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT-sources.jar b/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT-sources.jar
deleted file mode 100644
index 6a2ed7f..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT-sources.jar and /dev/null differ
diff --git a/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT.jar b/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT.jar
deleted file mode 100644
index 333a58d..0000000
Binary files a/rocketmq-streams-channel-rocketmq/target/rocketmq-streams-channel-rocketmq-2.0.0-SNAPSHOT.jar and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/rocketmq-streams-serviceloader.iml b/rocketmq-streams-serviceloader/rocketmq-streams-serviceloader.iml
deleted file mode 100644
index 5a29414..0000000
--- a/rocketmq-streams-serviceloader/rocketmq-streams-serviceloader.iml
+++ /dev/null
@@ -1,61 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
- <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
- <output url="file://$MODULE_DIR$/target/classes" />
- <output-test url="file://$MODULE_DIR$/target/test-classes" />
- <content url="file://$MODULE_DIR$">
- <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
- <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
- <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
- <sourceFolder url="file://$MODULE_DIR$/src/test/resources" type="java-test-resource" />
- <excludeFolder url="file://$MODULE_DIR$/target" />
- </content>
- <orderEntry type="inheritedJdk" />
- <orderEntry type="sourceFolder" forTests="false" />
- <orderEntry type="module" module-name="rocketmq-streams-commons" />
- <orderEntry type="library" name="Maven: org.apache.commons:commons-lang3:3.11" level="project" />
- <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
- <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
- <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.27" level="project" />
- <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1" level="project" />
- <orderEntry type="library" name="Maven: logkit:logkit:1.0.1" level="project" />
- <orderEntry type="library" name="Maven: avalon-framework:avalon-framework:4.1.3" level="project" />
- <orderEntry type="library" name="Maven: javax.servlet:servlet-api:2.3" level="project" />
- <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
- <orderEntry type="library" name="Maven: log4j:log4j:1.2.17" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.gson:gson:2.8.5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service-annotations:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto:auto-common:0.10" level="project" />
- <orderEntry type="library" name="Maven: com.google.guava:guava:25.1-jre" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:3.0.2" level="project" />
- <orderEntry type="library" name="Maven: org.checkerframework:checker-qual:2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.1.3" level="project" />
- <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
- <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
- <orderEntry type="library" name="Maven: com.lmax:disruptor:3.2.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:hyperscan:5.4.0-2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:linux-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:windows-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:macosx-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp-platform:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-armhf:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-ppc64le:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:macosx-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:platform:3.5.2" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:jna:3.5.2" level="project" />
- </component>
-</module>
\ No newline at end of file
diff --git a/rocketmq-streams-serviceloader/target/classes/META-INF/services/org.apache.rocketmq.streams.serviceloader.namefinder.IServiceNameGetter b/rocketmq-streams-serviceloader/target/classes/META-INF/services/org.apache.rocketmq.streams.serviceloader.namefinder.IServiceNameGetter
deleted file mode 100644
index 30fdc46..0000000
--- a/rocketmq-streams-serviceloader/target/classes/META-INF/services/org.apache.rocketmq.streams.serviceloader.namefinder.IServiceNameGetter
+++ /dev/null
@@ -1 +0,0 @@
-org.apache.rocketmq.streams.serviceloader.namefinder.impl.AnnotationServiceNameGetter
diff --git a/rocketmq-streams-serviceloader/target/classes/component/ServiceLoaderComponent.properties b/rocketmq-streams-serviceloader/target/classes/component/ServiceLoaderComponent.properties
deleted file mode 100644
index 0f1b2bb..0000000
--- a/rocketmq-streams-serviceloader/target/classes/component/ServiceLoaderComponent.properties
+++ /dev/null
@@ -1 +0,0 @@
-#serviceName=class.getName()
\ No newline at end of file
diff --git a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/IServiceLoaderService.class b/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/IServiceLoaderService.class
deleted file mode 100644
index bb8c29e..0000000
Binary files a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/IServiceLoaderService.class and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponent.class b/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponent.class
deleted file mode 100644
index 3831e75..0000000
Binary files a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponent.class and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/IServiceNameGetter.class b/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/IServiceNameGetter.class
deleted file mode 100644
index 84de58a..0000000
Binary files a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/IServiceNameGetter.class and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/impl/AnnotationServiceNameGetter.class b/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/impl/AnnotationServiceNameGetter.class
deleted file mode 100644
index 193c479..0000000
Binary files a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/namefinder/impl/AnnotationServiceNameGetter.class and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/utils/FileUtil.class b/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/utils/FileUtil.class
deleted file mode 100644
index e3b051c..0000000
Binary files a/rocketmq-streams-serviceloader/target/classes/org/apache/rocketmq/streams/serviceloader/utils/FileUtil.class and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/maven-archiver/pom.properties b/rocketmq-streams-serviceloader/target/maven-archiver/pom.properties
deleted file mode 100644
index 037c58d..0000000
--- a/rocketmq-streams-serviceloader/target/maven-archiver/pom.properties
+++ /dev/null
@@ -1,5 +0,0 @@
-#Generated by Maven
-#Fri Jul 30 11:10:32 CST 2021
-version=2.0.0-SNAPSHOT
-groupId=org.apache.rocketmq
-artifactId=rocketmq-streams-serviceloader
diff --git a/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT-sources.jar b/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT-sources.jar
deleted file mode 100644
index 1695e65..0000000
Binary files a/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT-sources.jar and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT.jar b/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT.jar
deleted file mode 100644
index 9dc634b..0000000
Binary files a/rocketmq-streams-serviceloader/target/rocketmq-streams-serviceloader-2.0.0-SNAPSHOT.jar and /dev/null differ
diff --git a/rocketmq-streams-serviceloader/target/test-classes/log4j.xml b/rocketmq-streams-serviceloader/target/test-classes/log4j.xml
deleted file mode 100755
index 7812fe7..0000000
--- a/rocketmq-streams-serviceloader/target/test-classes/log4j.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!DOCTYPE log4j:configuration SYSTEM "http://toolkit.alibaba-inc.com/dtd/log4j/log4j.dtd">
-<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
-
- <appender name="Console" class="org.apache.log4j.ConsoleAppender">
- <layout class="org.apache.log4j.PatternLayout">
- <param name="ConversionPattern" value="%d{ISO8601} %l [%t] %-5p - %m%n%n"/>
- </layout>
- <filter class="org.apache.log4j.varia.LevelRangeFilter">
- <param name="LevelMin" value="INFO"/>
- <param name="LevelMax" value="ERROR"/>
- </filter>
- </appender>
-
- <root>
- <priority value="INFO"/>
- <appender-ref ref="Console"/>
- </root>
-
-</log4j:configuration>
\ No newline at end of file
diff --git a/rocketmq-streams-serviceloader/target/test-classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponentTest.class b/rocketmq-streams-serviceloader/target/test-classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponentTest.class
deleted file mode 100644
index 100837f..0000000
Binary files a/rocketmq-streams-serviceloader/target/test-classes/org/apache/rocketmq/streams/serviceloader/ServiceLoaderComponentTest.class and /dev/null differ
diff --git a/rocketmq-streams-window/rocketmq-streams-window.iml b/rocketmq-streams-window/rocketmq-streams-window.iml
deleted file mode 100644
index 793fdfa..0000000
--- a/rocketmq-streams-window/rocketmq-streams-window.iml
+++ /dev/null
@@ -1,82 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
- <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
- <output url="file://$MODULE_DIR$/target/classes" />
- <output-test url="file://$MODULE_DIR$/target/test-classes" />
- <content url="file://$MODULE_DIR$">
- <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
- <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
- <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
- <sourceFolder url="file://$MODULE_DIR$/src/test/resources" type="java-test-resource" />
- <excludeFolder url="file://$MODULE_DIR$/target" />
- </content>
- <orderEntry type="inheritedJdk" />
- <orderEntry type="sourceFolder" forTests="false" />
- <orderEntry type="module" module-name="rocketmq-streams-db-operator" />
- <orderEntry type="module" module-name="rocketmq-streams-configurable" />
- <orderEntry type="module" module-name="rocketmq-streams-serviceloader" />
- <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:3.2.13.RELEASE" level="project" />
- <orderEntry type="library" name="Maven: org.springframework:spring-beans:3.2.13.RELEASE" level="project" />
- <orderEntry type="library" name="Maven: org.springframework:spring-core:3.2.13.RELEASE" level="project" />
- <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.1" level="project" />
- <orderEntry type="library" name="Maven: logkit:logkit:1.0.1" level="project" />
- <orderEntry type="library" name="Maven: avalon-framework:avalon-framework:4.1.3" level="project" />
- <orderEntry type="library" name="Maven: javax.servlet:servlet-api:2.3" level="project" />
- <orderEntry type="library" name="Maven: org.springframework:spring-tx:3.2.13.RELEASE" level="project" />
- <orderEntry type="library" name="Maven: mysql:mysql-connector-java:5.1.40" level="project" />
- <orderEntry type="module" module-name="rocketmq-streams-lease" />
- <orderEntry type="module" module-name="rocketmq-streams-channel-db" />
- <orderEntry type="module" module-name="rocketmq-streams-dim" />
- <orderEntry type="module" module-name="rocketmq-streams-filter" />
- <orderEntry type="module" module-name="rocketmq-streams-script" />
- <orderEntry type="library" name="Maven: io.krakens:java-grok:0.1.9" level="project" />
- <orderEntry type="library" name="Maven: org.codehaus.groovy:groovy-all:2.1.8" level="project" />
- <orderEntry type="library" name="Maven: org.python:jython-standalone:2.7.0" level="project" />
- <orderEntry type="module" module-name="rocketmq-streams-channel-http" />
- <orderEntry type="module" module-name="rocketmq-streams-commons" />
- <orderEntry type="library" name="Maven: org.apache.commons:commons-lang3:3.11" level="project" />
- <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
- <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
- <orderEntry type="library" name="Maven: com.alibaba:fastjson:1.2.27" level="project" />
- <orderEntry type="library" name="Maven: log4j:log4j:1.2.17" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.gson:gson:2.8.5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto.service:auto-service-annotations:1.0-rc5" level="project" />
- <orderEntry type="library" name="Maven: com.google.auto:auto-common:0.10" level="project" />
- <orderEntry type="library" name="Maven: com.google.guava:guava:25.1-jre" level="project" />
- <orderEntry type="library" name="Maven: com.google.code.findbugs:jsr305:3.0.2" level="project" />
- <orderEntry type="library" name="Maven: org.checkerframework:checker-qual:2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.google.errorprone:error_prone_annotations:2.1.3" level="project" />
- <orderEntry type="library" name="Maven: com.google.j2objc:j2objc-annotations:1.1" level="project" />
- <orderEntry type="library" name="Maven: org.codehaus.mojo:animal-sniffer-annotations:1.14" level="project" />
- <orderEntry type="library" name="Maven: com.lmax:disruptor:3.2.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:hyperscan:5.4.0-2.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:linux-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:windows-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: com.gliwka.hyperscan:native:macosx-x86_64:5.4.0-1.0.0" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp-platform:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:android-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:ios-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-armhf:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-arm64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-ppc64le:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:linux-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:macosx-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: org.bytedeco:javacpp:windows-x86_64:1.5.4" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:platform:3.5.2" level="project" />
- <orderEntry type="library" name="Maven: net.java.dev.jna:jna:3.5.2" level="project" />
- <orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
- <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpclient:4.5.2" level="project" />
- <orderEntry type="library" name="Maven: org.apache.httpcomponents:httpcore:4.4.4" level="project" />
- <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.9" level="project" />
- <orderEntry type="library" name="Maven: org.rocksdb:rocksdbjni:6.6.4" level="project" />
- </component>
-</module>
\ No newline at end of file
diff --git a/rocketmq-streams-window/target/classes/dipper.cs b/rocketmq-streams-window/target/classes/dipper.cs
deleted file mode 100644
index 45919b0..0000000
--- a/rocketmq-streams-window/target/classes/dipper.cs
+++ /dev/null
@@ -1,2892 +0,0 @@
-dipper.private.blink.rules&&&&pipline&&&&apsara_stack_network_accessibility_sca&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.UnionChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"apsara_stack_network_accessibility_sca_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\\\\\\\"ne [...]
-dipper.private.blink.rules&&&&channel&&&&apsara_stack_network_accessibility_sca&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"apsara_stack_network_accessibility_sca","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"apsara_stack_network_accessibility_sca","pullIntervalMs":"100","isBatchMessage":"true","isAutoFlush":" [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.UnionChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"piplineName2MsgSourceName\\\\\\\":\\\\\\\"[{\\\\\\\\\\\\\\\"value\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\"aegis_property_sca\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"key\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\"subpipline_subpipline_apsara_stack_network [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_subpipline_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10001","type":"script","value":"___!_10001=!((listenIp,regex,'^(127\\.\\d+\\.\\d+\\.\\d+)|(169\\.254\\.\\d+\\.\\d+)$'));\n", [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_rule_10001&&&&{"expressionStr":"(port,<>,'')&___!_10001","scriptNames":"[]","expressionName":"10002","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_rule_10001","ruleStatus":"0","type":"rule"," [...]
-dipper.private.blink.rules&&&&express&&&&10002&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10001\",\"___!_10001\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10001&&&&{"aesFlag":1,"varName":"port","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10002","type":"script","value":"retainField(ext,bizType,imageName,processUser,processStarted,bizTypeExt,pid,configPath,snaps [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930825;1&&&&{"indexs":"[\"uuid\",\"instance_id\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930825;1","userName":"aegis.sca.esc.userName","type":"nameList","version":"1.0","url":"aegis.sca.esc.url","sql":"select ali_uid,uuid,instance_id,instance_network_type,security_group_id,public_ip_address,allocation_id,eip_ip_address,private_ip_address,vpc_id,instance_st [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10003","type":"script","value":"___dim_10001=left_join('dipper.private.blink.rules','30.240.98.174;1616994930825;1','(uuid,= [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_rule_10002&&&&{"expressionStr":"ecs_info.instance_status,==,'running'","scriptNames":"[]","expressionName":"10003","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_rule_10002","ruleStatus":"0"," [...]
-dipper.private.blink.rules&&&&express&&&&10003&&&&{"aesFlag":1,"varName":"ecs_info.instance_status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rfJUsZyCSw5+VvHkYYf4dA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10004","type":"script","value":"vpc_id=ecs_info.vpc_id;\ninstance_id=ecs_info.instance_id;\nprivate_ip_address=ecs_info.priv [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930829;2&&&&{"indexs":"[\"uuid\",\"instance_id\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930829;2","userName":"aegis.sca.esc.userName","type":"nameList","version":"1.0","url":"aegis.sca.esc.url","sql":"select ali_uid,uuid,instance_id,instance_network_type,security_group_id,public_ip_address,allocation_id,eip_ip_address,private_ip_address,vpc_id,instance_st [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10005","type":"script","value":"___dim_10002=left_join('dipper.private.blink.rules','30.240.98.174;1616994930829;2','(instan [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10006","type":"script","value":"___coalesce_10001=coalesce(ecs_info.public_ip_address,'');\n___compare_10001=!equals(___coal [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10001_script_10007","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,p [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_subpipline_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10001","type":"script","value":"___!_10002=!((listenIp,regex,'^(127\\.\\d+\\.\\d+\\.\\d+)|(169\\.254\\.\\d+\\.\\d+)$'));\n", [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10001&&&&{"expressionStr":"(port,<>,'')&___!_10002","scriptNames":"[]","expressionName":"10005","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10001","ruleStatus":"0","type":"rule"," [...]
-dipper.private.blink.rules&&&&express&&&&10004&&&&{"aesFlag":1,"varName":"port","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10005&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10004\",\"___!_10002\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10002","type":"script","value":"retainField(ext,bizType,imageName,processUser,processStarted,bizTypeExt,pid,configPath,snaps [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930830;3&&&&{"indexs":"[\"uuid\",\"instance_id\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930830;3","userName":"aegis.sca.esc.userName","type":"nameList","version":"1.0","url":"aegis.sca.esc.url","sql":"select ali_uid,uuid,instance_id,instance_network_type,security_group_id,public_ip_address,allocation_id,eip_ip_address,private_ip_address,vpc_id,instance_st [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10003","type":"script","value":"___dim_10003=left_join('dipper.private.blink.rules','30.240.98.174;1616994930830;3','(uuid,= [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10002&&&&{"expressionStr":"ecs_info.instance_status,==,'running'","scriptNames":"[]","expressionName":"10006","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10002","ruleStatus":"0"," [...]
-dipper.private.blink.rules&&&&express&&&&10006&&&&{"aesFlag":1,"varName":"ecs_info.instance_status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rfJUsZyCSw5+VvHkYYf4dA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10004","type":"script","value":"vpc_id=ecs_info.vpc_id;\ninstance_id=ecs_info.instance_id;\nprivate_ip_address=ecs_info.priv [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930831;4&&&&{"indexs":"[\"vpc_id;internal_ip\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930831;4","userName":"aegis.sca.dnat.userName","type":"nameList","version":"1.0","url":"aegis.sca.dnat.url","sql":"select ali_uid,nat_gateway_id,vpc_id,external_ip,external_port,internal_ip,internal_port,ip_protocol,forward_entry_status from asset_dnat_info where forward [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10005","type":"script","value":"constants_10000='any';\nconstants_10001='any';\n___dim_10004=left_join('dipper.private.blink [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10003&&&&{"expressionStr":"dnat_info.forward_entry_status,==,'available'","scriptNames":"[]","expressionName":"10007","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_rule_10003","ruleStatu [...]
-dipper.private.blink.rules&&&&express&&&&10007&&&&{"aesFlag":1,"varName":"dnat_info.forward_entry_status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3JNgRPWXGIXtB5KaBIDvNA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10006","type":"script","value":"internet_ip=dnat_info.external_ip;\n___compare_10005=equals(dnat_info.external_port,'any');\ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_subpipline_apsara_stack_network_accessibility_sca_union_10001_union_10002_script_10007","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,p [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10001","type":"script","value":"___splitindex_10001=splitindex(security_group_info.port_range,'/',0);;___cast_10001=cast(___splitindex_10001,'int');;___cast_10002=cast(po [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930835;5&&&&{"indexs":"[\"security_group_id\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930835;5","userName":"aegis.sca.security.group.userName","type":"nameList","version":"1.0","url":"aegis.sca.security.group.url","sql":"select ali_uid,security_group_id,dest_cidr_ip,dest_cidr_ip_bit_mask,nic_type,direction,ip_protocol,policy,port_range,priority,source_cidr [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10002","type":"script","value":"___cast_10007=cast(port,'int');\n___cast_10008=cast(port,'int');\nconstants_10000='all';\nconstants_10001='-1/-1';\n___dim_10005=inner_joi [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10003","type":"script","value":"___cast_10005=cast(security_group_info.source_cidr_ip_bit_mask,'int');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_rule_10001&&&&{"expressionStr":"((security_group_info.direction,==,'ingress')&(security_group_info.policy,==,'accept'))&(___cast_10005,<,double,8)","scriptNames":"[]","expressionName":"10012","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001 [...]
-dipper.private.blink.rules&&&&express&&&&10008&&&&{"aesFlag":1,"varName":"security_group_info.direction","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"uDVUiOQMghCLKJyqOEQ27A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10009&&&&{"aesFlag":1,"varName":"security_group_info.policy","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JvOH9gogkRcXYYaTXLrXLQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10011&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10008\",\"10009\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10010&&&&{"varName":"___cast_10005","functionName":"<","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10012&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10011\",\"10010\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10004","type":"script","value":"security_group_id=security_group_info.security_group_id;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10005","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,path,protocol,cmdline,containerName,proof,image [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10001_script_10006","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,path,protocol,cmdline,containerName,proof,image [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_apsara_stack_network_accessibility [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10001","type":"script","value":"___!_10003=!((listenIp,regex,'^(127\\.\\d+\\.\\d+\\.\\d+)|(169\\.254\\.\\d+\\.\\d+)$'));\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10001&&&&{"expressionStr":"(port,<>,'')&___!_10003","scriptNames":"[]","expressionName":"10014","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames [...]
-dipper.private.blink.rules&&&&express&&&&10013&&&&{"aesFlag":1,"varName":"port","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10014&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10013\",\"___!_10003\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10002","type":"script","value":"retainField(ext,bizType,imageName,processUser,processStarted,bizTypeExt,pid,configPath,snapshotIdx,type,uuid,version,ppid,listenStatus,web [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930865;6&&&&{"indexs":"[\"uuid\",\"instance_id\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930865;6","userName":"aegis.sca.esc.userName","type":"nameList","version":"1.0","url":"aegis.sca.esc.url","sql":"select ali_uid,uuid,instance_id,instance_network_type,security_group_id,public_ip_address,allocation_id,eip_ip_address,private_ip_address,vpc_id,instance_st [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10003","type":"script","value":"___dim_10006=left_join('dipper.private.blink.rules','30.240.98.174;1616994930865;6','(uuid,==,uuid)',ecs_info,'',ali_uid,uuid,instance_id, [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10002&&&&{"expressionStr":"ecs_info.instance_status,==,'running'","scriptNames":"[]","expressionName":"10015","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[] [...]
-dipper.private.blink.rules&&&&express&&&&10015&&&&{"aesFlag":1,"varName":"ecs_info.instance_status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rfJUsZyCSw5+VvHkYYf4dA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10004","type":"script","value":"vpc_id=ecs_info.vpc_id;\ninstance_id=ecs_info.instance_id;\nprivate_ip_address=ecs_info.private_ip_address;\nsecurity_group_id=ecs_info.se [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994930867;7&&&&{"indexs":"[\"server_id;backend_server_port;listener_protocol\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994930867;7","userName":"aegis.sca.slb.userName","type":"nameList","version":"1.0","url":"aegis.sca.slb.url","sql":"select ali_uid,load_balancer_id,address,address_type,listener_port,listener_protocol,listener_status,backend_server_port,server_i [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10005","type":"script","value":"___dim_10007=left_join('dipper.private.blink.rules','30.240.98.174;1616994930867;7','((instance_id,==,server_id)&(port,==,backend_server_p [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10003&&&&{"expressionStr":"(slb_info.address_type,==,'internet')&(slb_info.listener_status,==,'running')","scriptNames":"[]","expressionName":"10018","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_rule_10003","ruleStatus":"0","type": [...]
-dipper.private.blink.rules&&&&express&&&&10018&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10016\",\"10017\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10017&&&&{"aesFlag":1,"varName":"slb_info.listener_status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rfJUsZyCSw5+VvHkYYf4dA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10016&&&&{"aesFlag":1,"varName":"slb_info.address_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dbB21QlapXHUB4tgeOH8Ww=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10006","type":"script","value":"internet_ip=slb_info.address;\nport=slb_info.listener_port;\nprotocol=listenProtocol;\nconnect_type='slb';\nnetwork_type=instance_network_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_apsara_stack_network_accessibility_sca_union_10002_script_10007","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,path,protocol,cmdline,containerName,proof,image [...]
-dipper.private.blink.rules&&&&rule&&&&apsara_stack_network_accessibility_sca_rule_10001&&&&{"expressionStr":"internet_ip,<>,''","scriptNames":"[]","expressionName":"10019","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"apsara_stack_network_accessibility_sca_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10019&&&&{"aesFlag":1,"varName":"internet_ip","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&apsara_stack_network_accessibility_sca_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"apsara_stack_network_accessibility_sca_script_10001","type":"script","value":"retainField(bizType,processUser,processStarted,security_group_id,pid,type,uuid,internet_ip,path,protocol,cmdline,containerName,proof,imageName,listen_ports,forwarding_instance_id,bizTy [...]
-dipper.private.blink.rules&&&&channel&&&&apsara_stack_network_accessibility_sca_channel_10001&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"apsara_stack_network_accessibility_sca_channel_10001","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_SCA_EXPOSURE","syncTimeout":"5000","pullIntervalMs":"100","isBatchMessage":"true","isAutoFlush [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.direct.source.aegis_asset&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.direct.source.aegis_asset.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\\\\":\\\\\\\"com [...]
-dipper.private.blink.rules&&&&channel&&&&blink.direct.source.aegis_asset;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.direct.source.aegis_asset;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.direct.source.aegis_asset.tags","syncTimeout":"5000","groupName":"blink.direct.source.aegis_asset.group","isBatchMessag [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_client_aegis_client&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_client_aegis_client_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client;json_concat_10001&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client;json_concat_10001","type":"script","version":"1.0","closeMethodName":"close", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client;explode_json_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.aliyun.sec.sas.explode_json","initMethodName":"open","functionName":"explode_json","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink_source_aegis_client_aegis_client;explode_json_10001","type":"script","version":"1.0","isURL":"false","nameSpace":"dipper.private.b [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client;action_json_10001&&&&{"fullClassName":"com.aliyun.sec.sas.action_json","initMethodName":"open","functionName":"action_json","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client;action_json_10001","type":"script","version":"1.0","closeMethodName":"close","extendF [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client;hex2clean_10001&&&&{"fullClassName":"com.aliyun.sec.sas.hex2clean","initMethodName":"open","functionName":"hex2clean","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client;hex2clean_10001","type":"script","version":"1.0","closeMethodName":"close","extendField":"[ [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_client_aegis_client","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_VIRUS_EVENT_INFO","syncTimeout":"5000","groupName":"blink_source_aegis_client_aegis_client","pullIntervalMs":"100","isBatc [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10001","type":"script","value":"___json_get_10001=json_get(data,'$.check_msg');\ncheck_msg=___json_get_10001;rm('___json_get_10001');\n___json_get_10002=json_get(meta_conf,'$.aliUid');\naliuid=___json_get_10002;rm('_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10002","type":"script","value":"retainField(traceid,aliuid,check_msg,uuid,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10003","type":"script","value":"___EXPLODE_JSON_10001=EXPLODE_JSON(check_msg);T.check_msg_one=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10004","type":"script","value":"___json_get_10003=json_get(T.check_msg_one,'$.module_id');\nmodule_id=___json_get_10003;rm('___json_get_10003');\n___json_get_10004=json_get(T.check_msg_one,'$.execinfo');\nexec_info=_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10005","type":"script","value":"check_msg_one=T.check_msg_one;\nretainField(traceid,check_msg_one,exec_info,module_id,aliuid,check_msg,uuid,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10006","type":"script","value":"___EXPLODE_JSON_10002=EXPLODE_JSON(exec_info);T.exec_info_one=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10007","type":"script","value":"___json_get_10005=json_get(T.exec_info_one,'$.data');\nexec_info_datalist=___json_get_10005;rm('___json_get_10005');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10008","type":"script","value":"exec_info_one=T.exec_info_one;\nretainField(traceid,exec_info,module_id,exec_info_datalist,aliuid,check_msg,uuid,logtime,exec_info_one);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10009","type":"script","value":"___EXPLODE_JSON_10003=EXPLODE_JSON(exec_info_datalist);T.exec_info_data=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10010","type":"script","value":"exec_info_data=T.exec_info_data;\n___json_get_10006=json_get(T.exec_info_data,'$.type');\nexec_info_type=___json_get_10006;rm('___json_get_10006');\n","version":"1.0","extendField":"[] [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10011","type":"script","value":"retainField(traceid,exec_info_type,exec_info,module_id,exec_info_datalist,exec_info_data,aliuid,check_msg,uuid,logtime,exec_info_one);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10012","type":"script","value":"___!null_10001=!null(exec_info_data);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10001&&&&{"expressionStr":"___!null_10001&(exec_info_data,<>,'')","scriptNames":"[]","expressionName":"10021","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10020&&&&{"aesFlag":1,"varName":"exec_info_data","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10021&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10001\",\"10020\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10013","type":"script","value":"retainField(traceid,module_id,exec_info_data,aliuid,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10014","type":"script","value":"___json_get_10007=json_get(exec_info_data,'$.cmdline');\ndata_cmdline=___json_get_10007;rm('___json_get_10007');\n___json_get_10008=json_get(exec_info_data,'$.name');\ndata_name=___jso [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10015","type":"script","value":"retainField(traceid,module_id,data_name,data_cmdline,exec_info_data,data_type,aliuid,data_files,logtime,uuid,data_raw_info,data_from);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10016","type":"script","value":"___null_10001=null(data_raw_info);\n___json_get_10013=json_get(data_raw_info,'$.filepath');\nif(___null_10001){___case_10004='';}else{___case_10004=___json_get_10013;};\nraw_info_filep [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10017","type":"script","value":"retainField(traceid,raw_info_filepath,raw_info_procname,raw_info_md5,data_files,uuid,data_raw_info,data_from,raw_info_line,raw_info_create_time,module_id,raw_info_dynamic,data_name,raw [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10018","type":"script","value":"___compare_10006=equals(data_type,'CrontabItem');\n___compare_10007=equals(data_type,'ld_so_preload');\n___compare_10008=equals(data_type,'LinuxPubKey');\nif(___compare_10006){___case_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10019","type":"script","value":"retainField(traceid,raw_info_filepath,the_name,raw_info_procname,raw_info_md5,data_files,uuid,data_raw_info,data_from,raw_info_line,raw_info_create_time,module_id,raw_info_dynamic,data [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10020","type":"script","value":"___lower_cmd_10001=lower(cmd);\nlower_cmd=___lower_cmd_10001;rm('___lower_cmd_10001');\n___lower_cmd_10002=lower(cmd);\n___REGEXP_REPLACE_10001=REGEXP_REPLACE(___lower_cmd_10002,'[~~~~ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10021","type":"script","value":"retainField(traceid,the_name,raw_info_procname,raw_info_md5,clean_cmd,uuid,data_raw_info,data_from,raw_info_line,raw_info_create_time,data_name,raw_info_procpath,data_cmdline,aliuid,ra [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10022","type":"script","value":"retainField(traceid,the_name,raw_info_procname,raw_info_md5,clean_cmd,uuid,data_raw_info,data_from,raw_info_line,raw_info_create_time,data_name,raw_info_procpath,data_cmdline,aliuid,ra [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10023","type":"script","value":"___json_get_10023=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10023;rm('___json_get_10023');\n___json_get_10024=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10024","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10002&&&&{"expressionStr":"(data_type,==,'ProcessGeneral')|(data_type,==,'LinuxHiddenProcess')","scriptNames":"[]","expressionName":"10024","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames": [...]
-dipper.private.blink.rules&&&&express&&&&10022&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XiZqpAF5OpdGedX7s8cLFg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10024&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10022\",\"10023\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10023&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PCWwrcOjmeBbuLYPHG0JS3tTNU/U90AuQne3hzRtQio="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10025","type":"script","value":"___json_get_10027=json_get(raw_info,'$.procpath');\nprocpath=___json_get_10027;rm('___json_get_10027');\n___json_get_10028=json_get(raw_info,'$.cwd');\ncwd=___json_get_10028;rm('___jso [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10026","type":"script","value":"retainField(traceid,procpath,create_time,pid,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_data,data_type,raw_info,aliuid,cmd,procname,logtime,md5,userna [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10027","type":"script","value":"___lower_cmd_10003=lower(cmd);\n___REGEXP_REPLACE_10002=REGEXP_REPLACE(___lower_cmd_10003,'[,#~~~~~\\^\\\\`]','');\nclean_cmd_win=___REGEXP_REPLACE_10002;rm('___REGEXP_REPLACE_10002'); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10028","type":"script","value":"retainField(traceid,procpath,create_time,pid,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_data,data_type,raw_info,aliuid,cmd,procname,clean_cmd_win,logt [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10029","type":"script","value":"___json_get_10040=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10040;rm('___json_get_10040');\n___json_get_10041=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10030","type":"script","value":"retainField(traceid,msg,module_id,data_name,exec_info_data,data_type,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10031","type":"script","value":"___!null_10005=!null(msg);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10003&&&&{"expressionStr":"((data_type,==,'file_info')&___!null_10005)&(msg,<>,'')","scriptNames":"[]","expressionName":"10028","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10026&&&&{"aesFlag":1,"varName":"msg","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&10025&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"RroTetz+RBliM0NFZ/cGug=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10028&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10027\",\"10026\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10027&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10025\",\"___!null_10005\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10032","type":"script","value":"___json_get_10044=json_get(msg,'$.data.bin_path');\nbin_path=___json_get_10044;rm('___json_get_10044');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10033","type":"script","value":"retainField(traceid,msg,module_id,data_name,exec_info_data,data_type,bin_path,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10034","type":"script","value":"___json_get_10045=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10045;rm('___json_get_10045');\n___json_get_10046=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10035","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10036","type":"script","value":"___!null_10006=!null(raw_info);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10004&&&&{"expressionStr":"((data_type,==,'LinuxHiddenProcess')&___!null_10006)&(raw_info,<>,'')","scriptNames":"[]","expressionName":"10032","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames [...]
-dipper.private.blink.rules&&&&express&&&&10029&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PCWwrcOjmeBbuLYPHG0JS3tTNU/U90AuQne3hzRtQio="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10031&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10029\",\"___!null_10006\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10030&&&&{"aesFlag":1,"varName":"raw_info","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&10032&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10031\",\"10030\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10037","type":"script","value":"___json_get_10049=json_get(raw_info,'$.procpath');\nprocpath=___json_get_10049;rm('___json_get_10049');\n___json_get_10050=json_get(raw_info,'$.cwd');\ncwd=___json_get_10050;rm('___jso [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10038","type":"script","value":"retainField(traceid,procpath,create_time,pid,uuid,ppid,cwd,module_id,data_name,process_status,exec_info_data,data_type,raw_info,aliuid,cmd,procname,logtime,md5,username);","version":"1 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10039","type":"script","value":"___cast_10114=cast(pid,'long');\n___cast_10115=cast(ppid,'long');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10005&&&&{"expressionStr":"((((process_status,<>,'zombie')&(___cast_10114,<>,double,2))&(___cast_10115,<>,double,2))&(procpath,like,'/%'))&(procpath,!like,'/usr/local/aegis/%')","scriptNames":"[]","expressionName":"10041","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10005 [...]
-dipper.private.blink.rules&&&&express&&&&10040&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10039\",\"10036\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10041&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10040\",\"10037\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10033&&&&{"aesFlag":1,"varName":"process_status","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"++CE4AvZpMMICfexMf0dbA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10035&&&&{"varName":"___cast_10115","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10034&&&&{"varName":"___cast_10114","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10037&&&&{"aesFlag":1,"varName":"procpath","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AntpwjEjRwNnz5a5rRm8YqFVrYIUducfiHSWcu5oxuY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10036&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M1psS2sL+qyjR6s0zjGxqw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10039&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10038\",\"10035\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10038&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10033\",\"10034\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10040&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10040","type":"script","value":"___ACTION_JSON_10019=ACTION_JSON('3','name','kill_process','pid',pid,'procname',procname);\naction_json_str=___ACTION_JSON_10019;rm('___ACTION_JSON_10019');\n","version":"1.0","extendF [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10041&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10041","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,ppid,cwd,module_id,data_name,process_status,exec_info_data,data_type,raw_info,aliuid,cmd,procname,logtime,md5,username [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10042&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10042","type":"script","value":"___json_get_10058=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10058;rm('___json_get_10058');\n___json_get_10059=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10043&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10043","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10044&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10044","type":"script","value":"___json_get_10062=json_get(raw_info,'$.buffer');\nraw_buffer=___json_get_10062;rm('___json_get_10062');\n___json_get_10063=json_get(raw_info,'$._');\ntag=___json_get_10063;rm('___json_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10045&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10045","type":"script","value":"retainField(traceid,uuid,raw_buffer,check_rules,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,tag,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10006&&&&{"expressionStr":"(data_type,==,'linux_hidden_modules_check')&((check_rules,==,'diff_kcore_proc')&(raw_buffer,like,'0000000000000000000100000000adde000200000000adde%'))","scriptNames":"[]","expressionName":"10046","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_1000 [...]
-dipper.private.blink.rules&&&&express&&&&10042&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gIUAh6Pk1RIMC88K2POd61aFv5iTdm91J843qDMPKi0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10044&&&&{"aesFlag":1,"varName":"raw_buffer","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"swpZu3EgJWtT7PnH+5uMmoXU7Ioqx8hDPW0CxnjWPPht2Ln1RwDx1bH3KsV+nSRHZ7UyZvu+rhILQvVCa2LXgA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10043&&&&{"aesFlag":1,"varName":"check_rules","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"u1CqNGOuadoGXwfrY4IxRQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10046&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10042\",\"10045\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10045&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10043\",\"10044\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10046&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10046","type":"script","value":"retainField(traceid,uuid,raw_buffer,check_rules,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,tag,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10047&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10047","type":"script","value":"___json_get_10065=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10065;rm('___json_get_10065');\n___json_get_10066=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10048&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10048","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10007&&&&{"expressionStr":"data_type,==,'ActiveScriptEventConsumer'","scriptNames":"[]","expressionName":"10047","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10007","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10047&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"cwoTHTD/TNX6siEEbMw3A56xFF6iqvT5S6ES7bZSrPM="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10049&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10049","type":"script","value":"___json_get_10069=json_get(raw_info,'$.ScriptText');\nScriptText=___json_get_10069;rm('___json_get_10069');\n___json_get_10070=json_get(raw_info,'$.ScriptingEngine');\nScriptingEngine= [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10050&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10050","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,ScriptText,ScriptingEngine,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10051&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10051","type":"script","value":"___len_10001=len(ScriptText);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10008&&&&{"expressionStr":"___len_10001,>,double,20","scriptNames":"[]","expressionName":"10048","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10008","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10048&&&&{"varName":"___len_10001","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"20.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10052&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10052","type":"script","value":"___ACTION_JSON_10020=ACTION_JSON('2','name','exec_command','cmd','%SystemRoot%/System32/wbem/wmic.exe /NAMESPACE:------\\\\root\\subscription------ PATH ActiveScriptEventConsumer DELET [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10053&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10053","type":"script","value":"retainField(traceid,action_json_str,uuid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,ScriptText,ScriptingEngine,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10054&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10054","type":"script","value":"___json_get_10071=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10071;rm('___json_get_10071');\n___json_get_10072=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10055&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10055","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10009&&&&{"expressionStr":"data_type,in,'\\'HiddenPreloadDynamicLibrary\\',\\'HiddenPreloadFile\\''","scriptNames":"[]","expressionName":"10049","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10009","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNa [...]
-dipper.private.blink.rules&&&&express&&&&10049&&&&{"aesFlag":1,"varName":"data_type","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LVgTkdA+DPbT+7GBLM6kDQIJMpzRafxq7vLqDdBJfJSG/fNxBKde7P5Y6T+6S/G0g2fPsJKMkGJZoB7p50itCw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10056&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10056","type":"script","value":"___json_get_10075=json_get(raw_info,'$.filepath');\nld_filepath=___json_get_10075;rm('___json_get_10075');\n___json_get_10076=json_get(raw_info,'$.subfilepath');\nsubfilepath=___json_g [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10057&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10057","type":"script","value":"retainField(traceid,uuid,ld_filepath,ld_content,module_id,data_name,subfilepath,exec_info_data,data_type,raw_info,aliuid,cmd,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10058&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10058","type":"script","value":"___ACTION_JSON_10021=ACTION_JSON('2','name','truncate_and_lock_file','filepath','/etc/ld.so.preload','2','name','exec_command','cmd','echo > /etc/ld.so.preload; rm -f /etc/ld.so.preloa [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10059&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10059","type":"script","value":"retainField(traceid,action_json_str,uuid,ld_filepath,ld_content,module_id,data_name,subfilepath,exec_info_data,data_type,raw_info,aliuid,cmd,logtime);","version":"1.0","extendField":"[ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10060&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10060","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10140=cast(uuid,'string');\n___cast_10141=cast(logtime,'string');\n___!null_10007=!nul [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10061&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10061","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10062&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10062","type":"script","value":"___json_get_10078=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10078;rm('___json_get_10078');\n___json_get_10079=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10063&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10063","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10010&&&&{"expressionStr":"data_type,==,'CrontabItem'","scriptNames":"[]","expressionName":"10050","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10010","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10050&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xHHZWDjQ0GhmZS+s1WEivg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10064&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10064","type":"script","value":"___json_get_10082=json_get(raw_info,'$.head_content');\nhead_content=___json_get_10082;rm('___json_get_10082');\n___json_get_10083=json_get(raw_info,'$.filepath');\nraw_filepath=___jso [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10065&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10065","type":"script","value":"retainField(traceid,head_content,module_id,data_name,exec_info_data,data_type,raw_filepath,raw_info,aliuid,cmd,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10066&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10066","type":"script","value":"___HEX2CLEAN_10001=HEX2CLEAN(head_content);\nclean_text=___HEX2CLEAN_10001;rm('___HEX2CLEAN_10001');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10067&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10067","type":"script","value":"retainField(traceid,head_content,uuid,module_id,data_name,exec_info_data,data_type,raw_filepath,raw_info,aliuid,cmd,logtime,clean_text);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10011&&&&{"expressionStr":"head_content,like,'5245444953%'","scriptNames":"[]","expressionName":"10051","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10011","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10051&&&&{"aesFlag":1,"varName":"head_content","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zAN6I/RDzTx3dgDFvFgeFw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10068&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10068","type":"script","value":"___ACTION_JSON_10022=ACTION_JSON('2','name','truncate_and_lock_file','filepath',raw_filepath);\naction_json_str=___ACTION_JSON_10022;rm('___ACTION_JSON_10022');\n","version":"1.0","ext [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10069&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10069","type":"script","value":"retainField(traceid,head_content,action_json_str,uuid,module_id,data_name,exec_info_data,data_type,raw_filepath,raw_info,aliuid,cmd,logtime,clean_text);","version":"1.0","extendField": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10070&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10070","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10142=cast(uuid,'string');\n___cast_10143=cast(logtime,'string');\n___JSON_CONCAT_1001 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10071&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10071","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10002&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10002","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10072&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10072","type":"script","value":"___json_get_10084=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10084;rm('___json_get_10084');\n___json_get_10085=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10073&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10073","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10012&&&&{"expressionStr":"data_type,==,'Services'","scriptNames":"[]","expressionName":"10052","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10012","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10052&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yaK344taTb0rT/mrxZPPJQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10074&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10074","type":"script","value":"___json_get_10087=json_get(raw_info,'$.ImagePath');\ncmdline=___json_get_10087;rm('___json_get_10087');\n___json_get_10088=json_get(raw_info,'$.ServiceName');\nServiceName=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10075&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10075","type":"script","value":"retainField(traceid,module_id,cmdline,data_name,ServiceName,exec_info_data,data_type,raw_info,aliuid,ServiceDll,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10076&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10076","type":"script","value":"___lower_cmdline_10001=lower(cmdline);\n___REGEXP_REPLACE_10003=REGEXP_REPLACE(___lower_cmdline_10001,'[\\^,#~~~~~\\\\]','');\nclean_cmd=___REGEXP_REPLACE_10003;rm('___REGEXP_REPLACE_1 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10077&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10077","type":"script","value":"retainField(traceid,clean_cmd,ServiceDll,uuid,module_id,cmdline,data_name,ServiceName,exec_info_data,data_type,raw_info,aliuid,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10013&&&&{"expressionStr":"((clean_cmd,regex,'powershell(\\.exe)?\\s.*?(downloadstring|downloaddata)')|(clean_cmd,regex,'powershell(\\.exe)?\\s.*?\\-(e|en|ec|enc|enco|encod|encode|encoded\\w*)\\s[\\w/\\+]{10,}'))|(clean_cmd,regex,'\\b(mshta)(\\.exe)?\\s+https?://')","scriptNames":"[]","expressionName":"10057","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dippe [...]
-dipper.private.blink.rules&&&&express&&&&10053&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"z8yLDlsTggzmzcjTt76NpSnu882Zxn0sLxoESbjcKerhyynLIFAn+A2djHJ+Ac/Q/uNxuRa0g2ycveHD2xU13w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10055&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BIaPtBCWgcGbMYsrf33TW4lv3W84RA2B0XbvLcYOCac="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10054&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"z8yLDlsTggzmzcjTt76Npb0xH68Um53ifSHfmghWGcH7c28JW+KNRcYrfH4caAPafO5ak21ko2ELBABNxEAtz26dwcIOrZADeJEmQGHmeF1y+TkFBjVhO+xaGQ/KSasp"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10057&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10056\",\"10055\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10056&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10053\",\"10054\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10078&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10078","type":"script","value":"___ACTION_JSON_10023=ACTION_JSON('2','name','disable_services','servicename',ServiceName);\naction_json_str=___ACTION_JSON_10023;rm('___ACTION_JSON_10023');\n","version":"1.0","extendF [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10079&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10079","type":"script","value":"retainField(traceid,clean_cmd,ServiceDll,action_json_str,uuid,module_id,cmdline,data_name,ServiceName,exec_info_data,data_type,raw_info,aliuid,logtime);","version":"1.0","extendField": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10080&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10080","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10144=cast(uuid,'string');\n___cast_10145=cast(logtime,'string');\n___JSON_CONCAT_1001 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10081&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10081","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10003&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10003","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10082&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10082","type":"script","value":"___json_get_10090=json_get(exec_info_data,'$.name');\ndata_name=___json_get_10090;rm('___json_get_10090');\n___json_get_10091=json_get(exec_info_data,'$.type');\ndata_type=___json_get_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10083&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10083","type":"script","value":"retainField(traceid,module_id,data_name,exec_info_data,data_type,raw_info,aliuid,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10014&&&&{"expressionStr":"data_type,==,'RegistryGeneral'","scriptNames":"[]","expressionName":"10058","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10014","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10058&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ISXhri5DWavQ1E9PYIrdqg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10084&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10084","type":"script","value":"___json_get_10093=json_get(raw_info,'$.regpath');\nregpath=___json_get_10093;rm('___json_get_10093');\n___json_get_10094=json_get(raw_info,'$.regvalue');\nregvalue=___json_get_10094;rm [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10085&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10085","type":"script","value":"retainField(traceid,module_id,data_name,regpath,regvalue,exec_info_data,data_type,raw_info,aliuid,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10086&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10086","type":"script","value":"___lower_regvalue_10001=lower(regvalue);\n___REGEXP_REPLACE_10004=REGEXP_REPLACE(___lower_regvalue_10001,'[\\^,#~~~~~\\\\]','');\nclean_regvalue=___REGEXP_REPLACE_10004;rm('___REGEXP_R [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10087&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10087","type":"script","value":"retainField(traceid,module_id,data_name,regpath,regvalue,exec_info_data,data_type,raw_info,aliuid,clean_regvalue,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10015&&&&{"expressionStr":"(((((((((((((((((clean_regvalue,regex,'regsvr32.+?/i:.+?scrobj\\.dll')|(clean_regvalue,regex,'msiexec(\\.exe)?\\s+/i\\s+https?://'))|(clean_regvalue,regex,'mshta(\\.exe)?\\s+https?://'))|(clean_regvalue,regex,'powershell.+?\\-e\\s+[a-z0-9/\\+]{70,}'))|(clean_regvalue,regex,'powershell.+iex.+\\.downloadstring\\('))|(clean_regvalue,regex,'powershell.+\\b(downloadfile|downloaddata)\\ [...]
-dipper.private.blink.rules&&&&express&&&&10091&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10090\",\"10074\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10090&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10089\",\"10073\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10071&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rGbRaHb1gzHBJCkkEtkmfQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10093&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10092\",\"10076\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10070&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2n+Wuwe9F3dp+DlBZXjzJKlOHk1M/vceN4wGP39FpBU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10092&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10091\",\"10075\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10073&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dFDEJIEmvW0olWKO1nO/n/NToP4NHtk0ILqfhwv4RDk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10072&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"K8/ZIADsrlSHR6UcJcGm0R1CYQXvfX2LbXDKFXbbaOs="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10075&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lA+s/2pjBgZylmdKCCk9f9gHAxmoaLeAMkSb05249fM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10074&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GkO9QHwKTBmmAMjCF3nvkLyrtSw64eX5drU2fZt5fKw="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10077&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10059\",\"10060\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10076&&&&{"aesFlag":1,"varName":"regpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"d2Z4d4+xxxc/RvqW0b7JkTGVrNq5Yr1KV7gsQDo62ik="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10079&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10078\",\"10062\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10078&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10077\",\"10061\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10059&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XFqPbku4H9xUfMrp1IQY1YAjxm9nRo2fub66YWLpzO0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10080&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10079\",\"10063\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10060&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Ff1TeJfJS8k3qIuPll4HmWzovg6vUR1ozG+8OV9ZFplgy+vLq7ICH29K211Y93WS"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10082&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10081\",\"10065\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10081&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10080\",\"10064\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10062&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AxvKmdL3nsguw9Oz1IbOdwtVLieg88TtZto1eiiv/TAT0vdUHGX/rBDT06HCSy77"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10084&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10083\",\"10067\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10061&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4VwxUCRBFapbl1aw8xZCdVj8P+rSqPDZ6DwjK7XhWeA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10083&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10082\",\"10066\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10064&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"IqTfIM/H3bwn+VlZ6JdZEPpuJcJ+gDSAwSZL2vJ8vh9sy593aSVReX6iZB3WiJ2a"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10086&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10085\",\"10069\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10063&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"K7G0GkInMpEXBQXNc0VDt7KN4byxfQp9KL1tduNL6paMVjI1vgK0ReKUgf+PwiON"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10085&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10084\",\"10068\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10066&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"m6zyqDhKVApl4GgJREslRF4DWkt9/S1Sd6pjznLQIBU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10088&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10087\",\"10071\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10065&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"j2a3YippAFdAbrToOmedNMUjQzS7q+iIhy4RhZZg2TQM3AlbEkwBfCyHC5igc5fT+Fb7xGz/cbj/ThfQ6rRCHqtwXseuXzIBd5EfETK/EEXFd51Q2/R/ILR8K0I3n4pIV4372Lb4kv22bS0CslHyxMAtsuxwwPO/xjJc9xGQlHw="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10087&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10086\",\"10070\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10068&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4mg+vxX+MZbNfIPcD7gJO/H/bHrD7VKwUBY0qOmsWSTAR9sCBJgMK8qgUjmMtsjBmp8h4W6JRbR7Aujec0l2xw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10067&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYC9rVVanS3Jeomd0SAeaXy+V7Zv4m3sSnImuJ7XMQI="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10089&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10088\",\"10072\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10069&&&&{"aesFlag":1,"varName":"clean_regvalue","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vHpCF0SXL5Xqgf+lUmb7cm+VbZb4pRtg+1XJ974IN0OqNhqHVWEudoaWEeqEHH8PO36+jok7Z5oPprxgPlvGsksmAfwoy0+5FMxlQJeeGnPsRVn2ab9Ur2Vo/EJy39l9SUUGA4PaVJGNyFaGNe+RYxeDvOty6hi/icEw+uUwOXz13fr9Q9SwXecW3nhybJgDyVYBJ+cJnIdl6u+rs9DTwy3JKXjXSnt [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10088&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10088","type":"script","value":"___ACTION_JSON_10024=ACTION_JSON('4','name','modify_regedit','key',regpath,'type','REG_SZ','value','#');\naction_json_str=___ACTION_JSON_10024;rm('___ACTION_JSON_10024');\n","version": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10089&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10089","type":"script","value":"retainField(traceid,regpath,action_json_str,uuid,module_id,data_name,regvalue,exec_info_data,data_type,raw_info,aliuid,clean_regvalue,logtime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10090&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10090","type":"script","value":"ali_uid=aliuid;\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10146=cast(uuid,'string');\n___cast_10147=cast(logtime,'string');\n___JSON_CONCAT_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10091&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10091","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10004&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10004","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10016&&&&{"expressionStr":"(data_type,==,'LinuxPubKey')&(((((((((raw_info_line,like,'%AAAAB3NzaC1yc2EAAAADAQABAAABAQDfxLBb/eKbi0TVVULI8ILVtbv2iaGM+eZbZoCWcD3v/eF1B/VkHAC1YwIhfqkUYudwhxVfQzsOZYQmKyapWzgp3tBAxcl82Al++VQc36mf/XFnECHndJS1JZB429/w/Ao+KlASl/qzita61D2VsXyejIQIeYR7Ro+ztLSTXjx+70CvzgOae3oayunL/hGX8qORIkG5YR3R1Jefhxy1NhGxEd6GaR7fZA5QWGfM17IcSXi2Q876JL8U7Aq8cjQyN/kGT2jWiiQiOZzqbjVJVICiwk0KvtrTwppV6FLt [...]
-dipper.private.blink.rules&&&&express&&&&10095&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1R3hAW1fOH9aQGx9ahg0yNudFHWwPe2FE44JaD64ScqNAWl0kpKYqdSFxtIU7kljwMkPVASi7+bRhuv0V+0kfUNuJE5/tKhO8VTxroNeOFvuHaoxBocCdBX9AGUnl++odyjQc5TuDEwvZgWk2edDpC2mSIUj8UbvbCaTKCnvQGxo+abHOEfyDywjmGUZePU/L3FLcRsSiTY+r [...]
-dipper.private.blink.rules&&&&express&&&&10094&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"L+tfStNGCgbXQV5HUvPbBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10097&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1dG/roJI7dy8yHHcvUlv3L8LCMKGsui0CYCVBkxKX6uqhMEwuQm3lAiyVgDXrHLFrjitLM7hzpxgj7MuNTYuZnPklTLy5Al1COo8bZtdU+x+nK32Ajspo4qHO+/w/L2PyniZq9WaVBtE/LZ4yTrnif2sjAdv0lBCuqZIiKT9SHf0DjVrX4oWzCj+IznfUA43IxdLzp7rvkl5j [...]
-dipper.private.blink.rules&&&&express&&&&10096&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1etnswILW8xZkCu2PhDMMSj61KJYuJqqkMSGwlgyyfwtHYbZEDB6YoMfPyRHP0gsM9M63nKtIp8aDr65/Mubu/e28eRSV+e5/nhY8cya/LYo9HNYcAuKIKaaWAyoebsAmLcJH5CU4PUJ1w8DSTiV9UZbEJtSiUUZL3qCnxjyrasqkE+O4fKP1XsxZ1n0/cSLmbri3NC5AVmk1 [...]
-dipper.private.blink.rules&&&&express&&&&10107&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10106\",\"10099\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10106&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10105\",\"10098\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10109&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10108\",\"10101\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10108&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10107\",\"10100\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10099&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1etnswILW8xZkCu2PhDMMSgbKKfTXQ+LEQA116iA0ZfpqwiVnmK3nLloSbbOZgXNLOKc/EppO12yH8JphnHznUBiZ9lNYZtMldox0QBsvEzKgOUNLxHhHNFv1ICPYVBVOI3Ug4J1AIhwEZFJdPRirk/xIx15b96rtHt3UD4D8Brnvh+2VHFFdU96S2OSKt5TZfDKtmqovotFI [...]
-dipper.private.blink.rules&&&&express&&&&10110&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10109\",\"10102\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10098&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1etnswILW8xZkCu2PhDMMShO2vWDXoHDyQ1dCl1s2me5m8XYhv781gNSHLgzdXUjQVAL5WfpgMm6FasOOcML5iQSISAwcUkn+VuxPL3yY7xq81dP/qnYH+zs/kfLtsl0/T4rZ+jRG/dJhd4kzDI8MTPRIQBC56xhAjN7myFgL2X/FOiTNtnr2RMdepptIeZN586QyAV61jZNE [...]
-dipper.private.blink.rules&&&&express&&&&10101&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1R3hAW1fOH9aQGx9ahg0yNt8dN6xyUIPvRTC9ZxV1HmLyIXAIFDFLNihY8yyfy57+B0wEM5icSCuVXBAx/t4PRz+hULepYjgent35th+F7DNXPtOZPi9mqjM2b/ZogoGVk5gIN1Da8Sf8fReXezb0/1/jHNZ2J5VUcp0WxGepNZVQlBAQDScJ7TgSTGih9sZVDWCVkOSKRBS8 [...]
-dipper.private.blink.rules&&&&express&&&&10112&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10094\",\"10111\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10100&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1R3hAW1fOH9aQGx9ahg0yNt82om/CvGg1RVoPa9yicD9DpX/CL3lrWNYCrVePRdPodqQJSk+/GiZvUSxm4VMmTGdR/AaHZKXqVFOOlkyiUusVUHhgtr67pmHxlkc4mPMBDTZYZXKO7mMDscK2DozrGQ/2jzTuY0DyBsoia+xMBFoiV6AzSU4gpfW6+B7rrA0l2tcrc/HsEzS9 [...]
-dipper.private.blink.rules&&&&express&&&&10111&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10110\",\"10103\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10103&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1bkkDFrPHhbxCC/B8z3puSbzjTCG7R4kt3felgsOX9DzYpbc8BBRCzbmp4y8gzVEidhhJQHlJpy2jVJYq4V9onswKddBtjwvDiHFIdXZhufE/DzQd+pwdNuERsqS5srrB6QAXN+Cq1Me3luoo2TiH1kcBFAIuHBuhFfL9nvpP/Kut7Rw2sqOaLPuBnoRFnoDcjX9TS2lBv9H1 [...]
-dipper.private.blink.rules&&&&express&&&&10102&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BZyzV+vOpM9E4GE/C1+u1RL4jtf9LpjbgPbnoNdnKaB8plVaD7XXdsnFWqfmrfkuzHLef7y34QfHA4x4xUjDYRtbznkKSAHn+pXY4acczAQlU11b9T+wejb/YriadpGGgy0jxqGYcy796E3gpR7aDI8lNYGb4ekKVd/IuOVd+Fpa9GHK0poBZzIIcVHtsNe559CxUVlqCfpBe66IcUfsJVmcQ1lkwqg77 [...]
-dipper.private.blink.rules&&&&express&&&&10105&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10104\",\"10097\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10104&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10095\",\"10096\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10092&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10092","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='SSH后门公钥(体检)';\nlevel='high';\n___cast_10010=cast(uuid,'string');\n___cast_10011=cast(logtime,'string');\n___cast_10012=cast [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10093&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10093","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10005&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10005","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10094&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10094","type":"script","value":"___lower_raw_info_procname_10001=lower(raw_info_procname);\n___lower_raw_info_procname_10002=lower(raw_info_procname);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10017&&&&{"expressionStr":"(data_type,==,'ProcessGeneral')&((((clean_cmd,like,'%powershell%')&(((((((((((clean_cmd,regex,'(downloadfile|downloaddata)')|(clean_cmd,regex,'\\-(e|en|ec|enc|enco|encod|encode|encoded|encodedc|encodedco|encodedcom|encodedcomm|encodedcomma|encodedcomman)\\s+[a-z0-9]'))|(clean_cmd,regex,'\\-ep\\s+bypass'))|(clean_cmd,regex,'\\-nop\\s'))|(clean_cmd,regex,'\\-w\\s+(1|hidden)'))|(clea [...]
-dipper.private.blink.rules&&&&express&&&&10150&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10132\",\"10133\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10130&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4VwxUCRBFapbl1aw8xZCdVj8P+rSqPDZ6DwjK7XhWeA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10152&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10149\",\"10151\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10151&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10131\",\"10150\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10118&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ouQjhbeAwkNjrRvJ8UMqmw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10117&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"DxS0iDNXMTm3R/bUrlI4Ew=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10139&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10138\",\"10121\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10119&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pJf/w2pXTWmKHUew8iYxt1ZbZjQzO/biGjN8DMtK0/o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10132&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jnLRKPaJrt+U/7jhC9V7+Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10131&&&&{"aesFlag":1,"varName":"___lower_raw_info_procname_10002","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4z7wKva/e4zfA08jEM4BaA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10153&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10113\",\"10152\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10134&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10115\",\"10116\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10133&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vnQBvkfNvdlhhMP/hu6jdQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10114&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GxCS7TuHXaBMYH4e8eW32w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10136&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10135\",\"10118\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10113&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XiZqpAF5OpdGedX7s8cLFg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10135&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10134\",\"10117\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10116&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OrnzgTI9Ufwp1/kZzZG+NzAQmbLyWvVqTUuRQiSUJJ+Xu05+Kdd7XJemezuep44L2yssNQnog5RfHSCxdwF1JpTlW2sjBGnQvHE3JVlfRhdB5um86EHf52W2G9FARcI88aE0Z0X7uKgc55vNT7zOtKPGt6c5WNk1gLqlVt4Pg+g="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10138&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10137\",\"10120\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10115&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"sC2O3jJ3TKisOINmoF7BmJBR/jrgpxBsxIi3LdYHCfo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10137&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10136\",\"10119\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10141&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10140\",\"10123\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10140&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10139\",\"10122\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10129&&&&{"aesFlag":1,"varName":"___lower_raw_info_procname_10001","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XbhcTcRCF+f3m8FZ8EY4gg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10128&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"f7LNrebShYHIo0rK/UJqkVex4bSD8ACQvziOSP6/25g="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10121&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"k6jXhDndhQ9goN1tiPShLyBfOCCzqkpKPqWOlKA1KwM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10143&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10126\",\"10127\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10120&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"D0Uuthi0CJWNxNAaIXZirg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10142&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10141\",\"10124\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10123&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Jb/cCVTj1iXKNMzN7/gFFg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10145&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10144\",\"10128\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10122&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MjJAk95L4fizoLA150avTw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10144&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10125\",\"10143\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10125&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zcpvnfW4flEhijke/ZjFAg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10147&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10114\",\"10146\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10124&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KWZxigPMMzTu/5XO8na/Cw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10146&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10142\",\"10145\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10127&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"p1undPH4vbk2O0DqzLEhBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10149&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10147\",\"10148\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10126&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hEEQwa8sroGi8ZGLurAJLfyULT9St0Y5l2H0P2yeHwg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10148&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10129\",\"10130\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10095&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10095","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常进程(体检)';\nlevel='high';\n___cast_10027=cast(uuid,'string');\n___cast_10028=cast(logtime,'string');\n___cast_10029=cast(cm [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10096&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10096","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10006&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10006","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10097&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10097","type":"script","value":"___lower_raw_info_line_10001=lower(raw_info_line);\n___lower_raw_info_line_10002=lower(raw_info_line);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10018&&&&{"expressionStr":"(data_type,==,'CrontabItem')&(((((((((((((((raw_info_filepath,regex,'/var/spool/cron/(tomcat|www|www\\-data|apache|httpd|jenkins|weblogic|mysql|zabbix|postgres|redis)$')&(raw_info_line,regex,'(curl |wget |://).+(\\|\\s*(bash|sh)|(&&|;)\\s*(bash|sh))'))|(___lower_raw_info_line_10001,regex,'(pastebin\\.com|\\.tor2web\\.|\\.onion\\.\\w+/)'))|((raw_info_line,regex,' \\-fsSL ')&(raw_in [...]
-dipper.private.blink.rules&&&&express&&&&10170&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AyovPj97MVHY9x62K+ZoLQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10172&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ka69jAAiNWnzRgL0a48Cnw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10171&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2lH4GJEiIIHCo5tBHjFPEOslYnaUJcpOXNOs5XbWJHE="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10174&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FlORTfzCcyv0VXlFx/24EyLnGPzKfY0PtK0RhzEhmzk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10173&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"N619AMCXLmmPL7ATzW/VKw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10217&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10216\",\"10184\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10216&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10215\",\"10183\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10219&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10218\",\"10186\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10218&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10217\",\"10185\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10176&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6Ehxe/ysZelO3CsbJZ+s9g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10175&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WIBK8so6rl0DaIJrn+cHrA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10178&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ybUzb0GNXxNAcTWAAPvJPzmDdfy/aASkMeqe6rFpxOQmr395aMACKwpBQ4RaHfPM"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10211&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10177\",\"10178\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10177&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"04Fs9zdLfT/T/2h2zT9wjHwQ1t2ykCLotBYzrT75gGNXOHkfRM5XzhYHVc/JfF7H"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10210&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10208\",\"10209\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10213&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10212\",\"10180\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10179&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CJ8RVh3s4NkyMMceJ2ivAvjBBnb4FBzVtYe6CaX44BQ="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10212&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10211\",\"10179\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10215&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10214\",\"10182\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10214&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10213\",\"10181\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10181&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"a7S9HBSu7DhJWJECYfsB2Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10180&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qhBbui9oktTasoU9RVBm11UIGHuPM81CCqhdnoCq4xo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10183&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"apoIbsLmNBxxeJCZbkh8yMIz6qmMnvduOA2LwxRUB9Y="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10182&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"cKixOsIQ7FrAjU3C/q3usw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10185&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TD7IYlS5dZjfwO5AoHBjT4btf2k3CU+2dC6+1B+IgCo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10184&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pEEnBL97WgC3bIC9ijDaUwiIp+heu6NYrM+OQ7go0qk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10187&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rYwAgKtbXbiH8bWYdhoqY6LPMeGjL7kidhj76ytNZVk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10220&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10219\",\"10187\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10186&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BDQshGbWFwEEax9X3au+YA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10189&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nxDSGLs0omeJL0BOA7jZzw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10222&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10221\",\"10189\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10188&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"VqXp6KMOEZOLYJ5AgBObZhe5WBeg5knQLPjPWlO0Nd4="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10221&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10220\",\"10188\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10224&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10154\",\"10223\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10223&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10210\",\"10222\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10190&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10155\",\"10156\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10192&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10158\",\"10159\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10191&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10190\",\"10157\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10194&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10160\",\"10161\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10193&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10191\",\"10192\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10196&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10195\",\"10162\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10195&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10193\",\"10194\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10154&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xHHZWDjQ0GhmZS+s1WEivg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10198&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10197\",\"10164\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10197&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10196\",\"10163\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10156&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WEMIKIZ571Q4Y/QQpqN7TEfYYuctkW76TRNRMp6/BWXN048NleKFFrqwHqF1elcwndVVd0iQ5Slmnhf3Z6tPsQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10155&&&&{"aesFlag":1,"varName":"raw_info_filepath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"n23p4wIjNkxbIVURyDrxT5YNcmbNw1/LVGeSSFcbz3K1qtwn4mXSPZBBXyUTM+qvf5FUiQ3Kq9agSZDZCcYha10OjItTqfE3Gov7nr6Et5DPs/16Jd6GDDl04U3R+VTviEHuuELUKyJ7mMT/Cz8Dww=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10199&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10166\",\"10167\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10158&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"72D2FUR8NOgHMNGaohKA/w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10157&&&&{"aesFlag":1,"varName":"___lower_raw_info_line_10001","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"y9QWBxsY2OAY2ZznpLEXqhgoHSHYCVrcVUvDICZEeuHvVW01rz+Kfq8MQXqUPnfz"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10159&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Fq2bQGe9tGv1Qkyc8Q5PMA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10161&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vYIzbHNZQFejinB8Ru5YFnuS7DkIhcONHUl88tunJG0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10160&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"DS9OcRjwEq27ARivXv0rFqQBapesfw1T5cDImS1poPU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10163&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"DipVb4enDRvPCfKcV5R6f3rx5jSjKeseoqbFBaOLYYZ+nfvXWbCiMeyztKjveoUv"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10162&&&&{"aesFlag":1,"varName":"___lower_raw_info_line_10002","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WEMIKIZ571Q4Y/QQpqN7TAyAnuA4Rf9GTXS/iTA8IU9gXadF+5P1WKmFDBVKgGtNV6jhdpZFbeTYZVut72HUXQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10206&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10172\",\"10173\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10205&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10202\",\"10204\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10208&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10207\",\"10174\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10207&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10205\",\"10206\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10209&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10175\",\"10176\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10165&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Tcg8as3TPnYJKB38oRhTKA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10164&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"aUTk6gy9vmynBzG6n7soacHLailGLMFWVJKtYmuA8bk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10167&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+2F4pj/+Wl5dV5xNp2noqg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10200&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10165\",\"10199\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10166&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"SJG15mQS56+JNuCUdfjm7A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10169&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ka69jAAiNWnzRgL0a48Cnw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10202&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10201\",\"10168\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10168&&&&{"aesFlag":1,"varName":"raw_info_line","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2BTOjUy8J0x4M0w3P5HlQyaCmG/P5Bw8xl9dHz3pCC0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10201&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10198\",\"10200\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10204&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10203\",\"10171\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10203&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10169\",\"10170\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10098&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10098","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10044=cast(uuid,'string');\n___cast_10045=cast(logtime,'string');\n___cast_10046=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10099&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10099","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10007&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10007","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10019&&&&{"expressionStr":"(data_type,==,'ScheduleTask')&((((clean_cmd,regex,'echo\\s.*?get\\s.*?ftp.*\\-s:')|((clean_cmd,like,'%powershell%')&(((((((((((clean_cmd,regex,'(downloadfile|downloaddata)')|(clean_cmd,regex,'\\-(e|en|ec|enc|enco|encod|encode|encoded|encodedc|encodedco|encodedcom|encodedcomm|encodedcomma|encodedcomman)\\s+[a-z0-9]'))|(clean_cmd,regex,'\\-ep\\s+bypass'))|(clean_cmd,regex,'\\-nop\\s [...]
-dipper.private.blink.rules&&&&express&&&&10251&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10250\",\"10236\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10250&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10249\",\"10235\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10239&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hEEQwa8sroGi8ZGLurAJLfyULT9St0Y5l2H0P2yeHwg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10238&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zcpvnfW4flEhijke/ZjFAg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10231&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ouQjhbeAwkNjrRvJ8UMqmw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10253&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10239\",\"10240\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10230&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"DxS0iDNXMTm3R/bUrlI4Ew=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10252&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10251\",\"10237\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10233&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"D0Uuthi0CJWNxNAaIXZirg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10255&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10254\",\"10241\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10232&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pJf/w2pXTWmKHUew8iYxt1ZbZjQzO/biGjN8DMtK0/o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10254&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10238\",\"10253\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10235&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MjJAk95L4fizoLA150avTw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10257&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10227\",\"10256\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10234&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"k6jXhDndhQ9goN1tiPShLyBfOCCzqkpKPqWOlKA1KwM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10256&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10252\",\"10255\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10237&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KWZxigPMMzTu/5XO8na/Cw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10259&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10258\",\"10242\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10236&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Jb/cCVTj1iXKNMzN7/gFFg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10258&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10226\",\"10257\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10260&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10259\",\"10243\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10240&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"p1undPH4vbk2O0DqzLEhBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10261&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10225\",\"10260\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10228&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"sC2O3jJ3TKisOINmoF7BmJBR/jrgpxBsxIi3LdYHCfo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10227&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GxCS7TuHXaBMYH4e8eW32w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10249&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10248\",\"10234\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10229&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OrnzgTI9Ufwp1/kZzZG+NzAQmbLyWvVqTUuRQiSUJJ+Xu05+Kdd7XJemezuep44L2yssNQnog5RfHSCxdwF1JpTlW2sjBGnQvHE3JVlfRhdB5um86EHf52W2G9FARcI88aE0Z0X7uKgc55vNT7zOtKPGt6c5WNk1gLqlVt4Pg+g="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10242&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4VwxUCRBFapbl1aw8xZCdVj8P+rSqPDZ6DwjK7XhWeA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10241&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"f7LNrebShYHIo0rK/UJqkVex4bSD8ACQvziOSP6/25g="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10244&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10228\",\"10229\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10243&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qsxpa9k7JgugBVJOgX0OOU6/ZHZF5QDeEDmLSMirjIY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10246&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10245\",\"10231\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10245&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10244\",\"10230\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10226&&&&{"aesFlag":1,"varName":"clean_cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"uHktvI6l7A0arVp97UP3LXXWvdClqf67Lf1iXL9Oi90="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10248&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10247\",\"10233\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10225&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"anUuK2mD3ioF20PxopRM9w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10247&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10246\",\"10232\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10100&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10100","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10061=cast(uuid,'string');\n___cast_10062=cast(logtime,'string');\n___cast_10063=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10101&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10101","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10008&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10008","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10102&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10102","type":"script","value":"___!null_10002=!null(data_name);\n___!null_10003=!null(cmd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10020&&&&{"expressionStr":"((data_type,==,'ld_so_preload')&(raw_info_dynamic,regex,' T readdir'))|(((((data_type,==,'WMI')&___!null_10002)&(data_name,!in,'\\'N/A\\',\\'\\''))&___!null_10003)&(cmd,!in,'\\'N/A\\',\\'\\',\\'cscript KernCap.vbs\\''))","scriptNames":"[]","expressionName":"10272","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rul [...]
-dipper.private.blink.rules&&&&express&&&&10271&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10270\",\"10266\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10270&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10269\",\"___!null_10003\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10262&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gLxi5VktFJrwW3OKtdQp3g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10272&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10267\",\"10271\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10264&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9Lz999aE2ngcyYuYoLoV4A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10263&&&&{"aesFlag":1,"varName":"raw_info_dynamic","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xt6pxCaaTUHThRq0tfGH+w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10266&&&&{"aesFlag":1,"varName":"cmd","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"s4XnGzCV421Rf4tamm1ESwcmCsEQRHx9L15rNSfbdxY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10265&&&&{"aesFlag":1,"varName":"data_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QhO8c5+E1GcoCgDIqz67dw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10268&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10264\",\"___!null_10002\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10267&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10262\",\"10263\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10269&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10268\",\"10265\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10103&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10103","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10078=cast(uuid,'string');\n___cast_10079=cast(logtime,'string');\n___cast_10080=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10104&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10104","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10009&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10009","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10001","type":"script","value":"___json_get_10037=json_get(procfs_fd,'$.0');\n___json_get_10038=json_get(procfs_fd,'$.1');\n___json_get_10039=json_get(procfs_fd,'$.2');\n [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10001_rule_10001&&&&{"expressionStr":"((((procpath,regex,'/s?bin/(bash|sh|dash|zsh|csh|ash)$')&(cmd,regex,'^\\s*([/a-z]+/)?(bash|sh|dash)(\\s+\\-{1,2}\\w+){0,3}\\s*$'))&(___json_get_10037,like,'socket:%'))&(___json_get_10038,like,'socket:%'))&(___json_get_10039,like,'socket:%')","scriptNames":"[]","expressionName":"10281","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProc [...]
-dipper.private.blink.rules&&&&express&&&&10280&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10279\",\"10276\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10281&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10280\",\"10277\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10273&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OBp1px8RK6IShOh8AAr0iNiACLtpVPuxvjjGqwECe2CFlei/vdLxd0i7pPmkRMA8"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10275&&&&{"aesFlag":1,"varName":"___json_get_10037","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"aBoycb0ObB8S4GNkLFcMBA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10274&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fPD9oXUqpQyYZMUxBHXE8eS8ejltc+NAc6ft0uRWZ0xSos/IrEKP8BNMubxm01sWQLQFQ1ERmiLgE9fyi7jxyA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10277&&&&{"aesFlag":1,"varName":"___json_get_10039","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"aBoycb0ObB8S4GNkLFcMBA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10276&&&&{"aesFlag":1,"varName":"___json_get_10038","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"aBoycb0ObB8S4GNkLFcMBA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10279&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10278\",\"10275\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10278&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10273\",\"10274\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10002","type":"script","value":"virus_name='kill_process_with_pid';\n___cast_10095=cast(pid,'string');\n___ACTION_JSON_10001=ACTION_JSON('3','name','kill_process','pid',_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10001_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10001","type":"script","value":"___!null_10004=!null(cmd);\n___lower_procname_10001=lower(procname);\n___lower_cmd_10004=lower(cmd);\n___lower_cmd_10005=lower(cmd);\n___l [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10002_rule_10001&&&&{"expressionStr":"(((((((((((((((((((((((cmd,like,'%--donate-level=%')|(cmd,like,'%--cpu-max-threads-hint=%'))|(cmd,like,'%--cpu-no-yield%'))|(cmd,like,'%stratum+tcp://%'))|(cmd,like,'%--max-cpu-usage%'))|((procpath,regex,'/(bash|sh|dash)$')&((cmd,regex,'echo[,\\s]+.+?\\|.*?base64[,\\s].*\\-\\w*d.*?\\|.*?sh')|(cmd,regex,'echo[,\\s]+[a-zA-Z0-9/+]{1024,}$'))))|((((cmd,regex,'\\ [...]
-dipper.private.blink.rules&&&&express&&&&10291&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"cECkFlqt73o1xSPuzzd9z8UjXb5eh3aylRFhVB8A5to="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10290&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"/Kpj4ers4UMmVZ4mIUFvjw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10293&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"eP9+Z2NwGbAhTQ7h9nnmiaf/mgkt5YuGhjEDqecB2pc="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10370&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10322\",\"10323\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10292&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AyovPj97MVHY9x62K+ZoLQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10295&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0hETEOhdPOhgsHqf9cITJ3uajHBEpIyhvtkptEzWPnE="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10372&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10371\",\"10327\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10294&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"c6ggrlQrUeyhEqAP2etRwZM2jynxCzg2iUjWE1Dt+LEilGSPJSB98immmDV/Qw9D/R7TAkEEnU44a6fN64zzDjqD2pCD8cugrM+TXt6AkG4="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10371&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10325\",\"10326\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10338&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10337\",\"10292\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10337&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10290\",\"10291\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10339&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10338\",\"10293\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10297&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10330&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10282\",\"10283\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10374&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10373\",\"10328\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10296&&&&{"aesFlag":1,"varName":"cwd","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"uU6tQYF2jEuonNwagoHnAw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10373&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10324\",\"10372\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10299&&&&{"aesFlag":1,"varName":"cmd","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10332&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10331\",\"10285\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10376&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10370\",\"10375\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10298&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&10331&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10330\",\"10284\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10375&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10374\",\"10329\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10334&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10288\",\"10289\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10333&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10332\",\"10286\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10377&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10369\",\"10376\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10336&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10333\",\"10335\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10335&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10287\",\"10334\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10305&&&&{"aesFlag":1,"varName":"procpath","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TEqV2bs1+47RS4TN6RHJoj1smKqFn43+X/2SteL6LKo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10349&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10348\",\"10301\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10304&&&&{"aesFlag":1,"varName":"cmd","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NKWvFA2QnoLjObpZvMK9Ng=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10348&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10342\",\"10347\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10307&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"h5rbOtEln+0UEYHnC+pvln1MRRnW0L5CHKHb7h8SCrK7miRFMJt5qxpa/QYpz8jzLxZ/F8Nk+9NAhR8iRSdEO8h+k5MdrbXv5W/hLuQokzk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10306&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KptcWM/7vcbA4u2dB369SiaIa7maCMGBNahH6RvrFINy/gRcghRvZKzhTwHmwnmNjSJZ/vOZYUVuZb3BpXMIygc1TVTodrzkJmvRlu/1v38="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10309&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OhDxw3jw4Yu4JOWTdkAY9+qXmVxhdNlNmmJC9lvdcRghCmwHa2uMQjws9cs3Vfzc1mDgg1PXSITej1dqe231pQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10308&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XGLKrhA9Z/Bd0X1CDYerXUMevnjD7nJIU61OTOAYilrZTwPELEiHxsAefUcHeSh32dmYq2IyjooH6/5g75BcMQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10341&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10340\",\"10294\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10340&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10336\",\"10339\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10343&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10296\",\"10297\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10342&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10341\",\"10295\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10301&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2s8ZCLPJtD6IHbCBvcw5Tg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10345&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10344\",\"10299\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10300&&&&{"aesFlag":1,"varName":"cmd","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&10344&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10343\",\"10298\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10303&&&&{"aesFlag":1,"varName":"procname","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gYVFp6C3AKJNXiSlMiyn1g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10347&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10346\",\"10300\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10302&&&&{"aesFlag":1,"varName":"cwd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MBK6L9UnWZkIYO80zNn2Zg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10346&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10345\",\"___!null_10004\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10350&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10302\",\"10303\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10316&&&&{"aesFlag":1,"varName":"___lower_cmd_10005","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"SIy5ekVAX0umC4T0H6Tku3aAM5B7YJvBT2LDhjONlRo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10315&&&&{"aesFlag":1,"varName":"___lower_cmd_10004","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"IjxWrw82Xske4nRCYo8UV97x/afiUuaW5lZajqRJ1Ds="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10359&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10357\",\"10358\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10318&&&&{"aesFlag":1,"varName":"___lower_procpath_10001","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rN9IlE/BjPaN2S1ls3SlH1YLvOtXcGAebMswW+dLs08qfq9bqrWrvn1gn6mITQLL"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10317&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iV6zd7UPQOWHgIpg1LG8cg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10319&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LCnXjMaCbqDbnK1Oj0OljtgA3fBu/RGc/mYyhElKjgg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10352&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10304\",\"10305\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10351&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10349\",\"10350\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10310&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10354&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10353\",\"10306\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10353&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10351\",\"10352\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10312&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0rPu9dG7UvuiwjHloX2m3sHDmM6WMKz5jM8LAjBvPlwcgs2PzHRESIilzRQoPEmZ"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10356&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10355\",\"10308\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10311&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"d2sco0Kid1RoQGaTbPRlkVSgIH04kRyyfMrVfXrGrk0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10355&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10354\",\"10307\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10314&&&&{"aesFlag":1,"varName":"___lower_procname_10001","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YGeHkwJkc4xJFjK1BtvAneYgtClT+Scfhae2DwOvwGrr5A9UU9NjpebRHHceTXHW"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10358&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10310\",\"10311\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10313&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zk4q0251XUrIlRMMU/zZCFB67WwsYOloCTDYG4l2Uyo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10357&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10356\",\"10309\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10282&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nyaTdtZJYIShnwseCSkd6LG6H5pAsfDea3Yawq4lnas="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10284&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"VFT9DBd6dHwcTQ0dMJpRhrBEUkm2m9HD237K7wlBROA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10361&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10359\",\"10360\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10283&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OzIqxPzg6EFVHblrX6CeEdgBzuPbK5DDsXem5ZLyncs="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10360&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10312\",\"10313\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10327&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xoCy+NuDLdOSwd+izIcwpw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10326&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"W3MqYeVHD84ZKewsibuGrA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10329&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Y1xP5Zqof/nortA8qXFEv9khDvHx94PTFoE0OYMRHDU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10328&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0uaghsmK0u8Q52lMr37TsQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10286&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NLedzJoebdPrcoYLy1zPR641j0TO96t9l/uXXpkeVVM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10363&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10316\",\"10317\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10285&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Ta9wXKILR6hPtsj6Iv6v5YWW2bAcPNoB1mMSavZGUvA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10362&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10314\",\"10315\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10288&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"oeY+QJJj+JZDExolyrT6l7g1ozDutxCJ69vGlryXXC+pmrzzMtUFeRhMy6PlUt8F"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10321&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"I7iaJaLsWkgVXDJq0WUckhysoyhGEQvoV74LSntGxWk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10365&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10361\",\"10364\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10287&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"aos5iXMtHdnUxxKfkend4b2fhnOtpThh7+Ehz5U2864="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10320&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FlORTfzCcyv0VXlFx/24E3Ck/p5AqCXGIjsP1FTejnw="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10364&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10362\",\"10363\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10323&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GxCS7TuHXaBMYH4e8eW32w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10367&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10319\",\"10320\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10289&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NaqG6xeJ1iXZ1FDA0ZpCEB1Yfp8dIl2fppXuCFY213E="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10322&&&&{"aesFlag":1,"varName":"___lower_procname_10002","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YGeHkwJkc4xJFjK1BtvAndrjJb4sJfqN+JRKfoTDfew="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10366&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10365\",\"10318\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10325&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lmbRrPZHxX1BtO2HURD8N7EgEkV34P2k3x48NXgWDqs="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10369&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10368\",\"10321\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10324&&&&{"aesFlag":1,"varName":"clean_cmd_win","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"41IrpuxnUu5AS0El6RwFfzrh+qiY+dlJrJRRvimB2ik="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10368&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10366\",\"10367\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10002","type":"script","value":"virus_name='general_linux_kill_process';\n___ACTION_JSON_10002=ACTION_JSON('2','name','kill_process','cmdline',cmd);\naction_json_str=___A [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10002_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10003&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10001","type":"script","value":"___lower_procpath_10002=lower(procpath);\n___lower_procpath_10003=lower(procpath);\n___lower_procpath_10004=lower(procpath);\n___!_10004=! [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10003_rule_10001&&&&{"expressionStr":"(((((((((((((((((((((((cmd,like,'% --library-path %')&((((procpath,like,'/tmp/%')|(procpath,like,'/dev/shm/%'))|(procpath,like,'/var/tmp/%'))|(procpath,like,'%/tsm')))|(procpath,in,'\\'/tmp/tcpp\\',\\'/root/.configrc/a/kswapd0\\',\\'/usr/lib/libiacpkmn.so.3\\''))|((procpath,like,'%/pnscan')&(cmd,like,'% 6379')))|(___lower_procpath_10002,regex,'^.:\\\\windows [...]
-dipper.private.blink.rules&&&&express&&&&10415&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10414\",\"10383\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10414&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10378\",\"10413\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10417&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10415\",\"10416\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10416&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10384\",\"10385\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10419&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10418\",\"10387\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10418&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10417\",\"10386\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10378&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gXA7C5ro+OQEX8nekzQ73Ntc58AjIKSHsn61009/oBA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10411&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10379\",\"10380\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10410&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XdxudAULAmFe2aAciQT+Ng=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10413&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10412\",\"10382\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10379&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3aOQXwy39398HHum+b3ipg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10412&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10411\",\"10381\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10381&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"r5NpQArPBuUSy1du++0y2w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10380&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jrFV0b18se7v5HvK/3mHoA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10383&&&&{"aesFlag":1,"varName":"procpath","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YvAI2oVALaV1OYXwAzQv992qrKqmDd6rbuxvy158Odey+tvKX8S11kS1hSNlImqfjTwygi7S+96XNPf23h044xTC1o9QDLTkWqPU2cSExag="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10382&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lyAoUZQJf7Bx/R6ARtXB0Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10426&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10425\",\"___!_10004\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10425&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10393\",\"10394\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10428&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10427\",\"10395\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10427&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10426\",\"___!_10005\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10429&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10428\",\"10396\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10385&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"sBu6Jkl7YhMgu+Ag2W+zAg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10384&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYhbWNuJBTNOoQVJdPPh4w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10387&&&&{"aesFlag":1,"varName":"___lower_procpath_10003","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"c89Gm7+etClLETr9cLddnP286cOdPI59WNu+C8ZR9zY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10420&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10419\",\"10388\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10386&&&&{"aesFlag":1,"varName":"___lower_procpath_10002","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ZUgxfkA0JoNQ1CkC+qjYb+16vUZ72jCs0Wgz2jYtqFY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10389&&&&{"aesFlag":1,"varName":"procpath","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"s+KKcequ2+C9/WMGShw+/0rPcNn5VjA7MJGyg7L0rr+QNxjb5l8i1BzaTxvbEnM0z/fp0ihRPI1PnD6vk4P2ExQ0ZgRI1v4em7B6KSRGeRIBmbgHNvMmVU1Tjgb8sb75"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10422&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10421\",\"10390\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10388&&&&{"aesFlag":1,"varName":"___lower_procpath_10004","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zqq7tYSsUchhQo7ZgmBrHT50gP4076BjnMkNX98WtP70Pw7astgarWOakhtbNMWAapWEeN6TO3KYf+/wM1WKFA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10421&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10420\",\"10389\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10424&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10423\",\"10392\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10423&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10422\",\"10391\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10390&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xwxXPeTIIGYgBNoCj4Tz2w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10392&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"b0JNlcUDI5pF6nlIR5ZT9WxKibHVf0RKzWjwx9OMVXg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10391&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Sv+DlLjkFDExc/g3C+8Yw9Q1GWWT567G7tAdLDXprPM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10394&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M1psS2sL+qyjR6s0zjGxqw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10393&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4z1m5KmwuLagpcIi7x0BUw/NvnJWcbMuNk1ENM37JF7Hwcada6rTPRoZSFQ1gXC9"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10437&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10436\",\"10403\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10436&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10435\",\"10402\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10439&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10405\",\"10406\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10438&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10437\",\"10404\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10396&&&&{"aesFlag":1,"varName":"procpath","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AntpwjEjRwNnz5a5rRm8YqFVrYIUducfiHSWcu5oxuY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10395&&&&{"aesFlag":1,"varName":"procpath","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gN2T7BT12UpBs4qlFHQP1g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10398&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xgQftohsZqKpjh+aT6Oro4ZbZs9DxgQziRq/Cci6Z/o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10431&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10424\",\"10430\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10397&&&&{"aesFlag":1,"varName":"procpath","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EZiPvvNVKMZ4YNxZZs8ezyxSMpSrz/KUywvbAE2qQXk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10430&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10429\",\"10397\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10433&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10432\",\"10399\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10399&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YPoacOnv1U039xGtwiuEtYDAhsiAgEj/QIQMhKCPAlo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10432&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10431\",\"10398\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10435&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10434\",\"10401\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10434&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10433\",\"10400\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10404&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ZF5VYXwu5Klqsku4kMumVkzNrliHW3MLbrr0z+ruX5Q="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10403&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wpFYYgrMnwvZwLSpzCZoyA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10406&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dkWLfONiuSRH+CTtHFBCQw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10405&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"41Nxcy7EoXonQGe5IA+efQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10408&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"phXAw3UZBY7ZdJY1nIntuA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10407&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EWuqDik+o0wlOxvlkTI/PA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10409&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"/5lzyEaJTL5hYRI63j6GAqqJCeao7Qlq5GmtFKYu/ao="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10440&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10438\",\"10439\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10442&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10441\",\"10408\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10441&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10440\",\"10407\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10400&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ZMJzLac21jevE3turxfhzg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10444&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10443\",\"10410\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10443&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10442\",\"10409\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10402&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BWfp5wd5XtQbMHh+kZQ5NQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10401&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"p7O+46Y1YkU+XEYD+kI+zw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10002","type":"script","value":"virus_name='general_linux_kill_and_lock';\n___ACTION_JSON_10003=ACTION_JSON('3','name','kill_process','procpath',procpath,'lock_file','1') [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10003_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10004&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10001","type":"script","value":"___lower_procpath_10005=lower(procpath);\n___lower_cmd_10006=lower(cmd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10004_rule_10001&&&&{"expressionStr":"(___lower_procpath_10005,regex,'\\\\rundll32\\.exe$')&(___lower_cmd_10006,regex,':\\\\programdata\\\\sxs\\.dll')","scriptNames":"[]","expressionName":"10447","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10004_r [...]
-dipper.private.blink.rules&&&&express&&&&10447&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10445\",\"10446\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10446&&&&{"aesFlag":1,"varName":"___lower_cmd_10006","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xdRRx/VhKDnwulvIxkkiTV2+1A4k+90ZlF0w4oU8COw="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10445&&&&{"aesFlag":1,"varName":"___lower_procpath_10005","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lHnZRFSx+HjvuZiiJxdKeh2GwOU/HX06xZ0p+TIMJZU="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10002","type":"script","value":"virus_name='SXS';\n___ACTION_JSON_10004=ACTION_JSON('3','name','kill_process','procpath',procpath,'cmd',cmd,'2','name','del_file','filepat [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10004_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10005&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10001","type":"script","value":"___lower_procpath_10006=lower(procpath);\n___lower_procpath_10007=lower(procpath);\n___lower_procpath_10008=lower(procpath);\n___lower_cmd [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10005_rule_10001&&&&{"expressionStr":"((___lower_procpath_10006,in,'\\'c:\\windows\\temp\\u.exe\\',\\'c:\\windows\\temp\\conhou.exe\\',\\'c:\\windows\\temp\\conhos.exe\\',\\'c:\\windows\\temp\\conhot.exe\\',\\'c:\\windows\\inf\\aspnet\\lsma12.exe\\'')|(___lower_procpath_10007,regex,'^c:\\\\windows\\\\temp\\\\conho\\w\\.exe$'))|((___lower_procpath_10008,regex,'\\\\rundll32\\.exe$')&((___lower_cmd [...]
-dipper.private.blink.rules&&&&express&&&&10448&&&&{"aesFlag":1,"varName":"___lower_procpath_10006","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XMepMDrqrqXDI6D5eaCzhSRFZhxNQZEL80s2U8ogVyDQpcaP87fMGmIibAGXHp6qU9QR78ctrfhdn0NC6KCV5Tdd4A3ZDVficTeIYQ1Zb/KW0SFy89exnE5iBvYbQU0PtR7F7kOt3Ty5x+l5xdZq3DPLpIrUe+Z598TQeFYseLbP4sK/s6jbr5sJ1BKyxeBXBfxFDRfJ/C9HzC7dRCyoBg==" [...]
-dipper.private.blink.rules&&&&express&&&&10449&&&&{"aesFlag":1,"varName":"___lower_procpath_10007","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tKbPsNK0wJpqVNh22l4YvyFE0TLH/6HjaH70lUXJETg4Hx5+EIyI8dccS6jLsrYH"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10451&&&&{"aesFlag":1,"varName":"___lower_cmd_10007","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0zKRH6X+31K+2nkU+d4Vw/kwRcTGEjunCUBijpo+aI0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10450&&&&{"aesFlag":1,"varName":"___lower_procpath_10008","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lHnZRFSx+HjvuZiiJxdKeh2GwOU/HX06xZ0p+TIMJZU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10453&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10448\",\"10449\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10452&&&&{"aesFlag":1,"varName":"___lower_cmd_10008","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"D8wQgWTOKdbUosrAyre+Oo7HsiIaXc+E+KzquEX6jxI="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10455&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10450\",\"10454\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10454&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10451\",\"10452\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10456&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10453\",\"10455\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10002","type":"script","value":"virus_name='conhou';\n___ACTION_JSON_10005=ACTION_JSON('2','name','exec_command','cmd','%SystemRoot%/System32/wbem/wmic.exe /NAMESPACE:--- [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10005_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10006&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10001","type":"script","value":"___!_10006=!((procpath,regex,'/usr/bin/[^/]+;\\w+$'));\n___!_10007=!((cmd,like,'Titan%'));\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10006_rule_10001&&&&{"expressionStr":"(((((cmd,regex,'^[a-zA-Z0-9]{6,8}\\s{9,}$')|(cmd,regex,'^tracepath\\s{9,}$'))&((((proc_exe_raw,==,'N/A')|(proc_exe_raw,like,'/tmp/%'))|(proc_exe_raw,like,'/dev/shm/%'))|(proc_exe_raw,like,'% (deleted)')))|(procpath,==,'/tmp/.X11-unix/sshd/ssh'))&___!_10006)&___!_10007","scriptNames":"[]","expressionName":"10471","varNames":"[]","className":"com.aliyun.filter [...]
-dipper.private.blink.rules&&&&express&&&&10460&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3aOQXwy39398HHum+b3ipg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10471&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10470\",\"___!_10007\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10470&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10469\",\"___!_10006\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10459&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10458&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nUHI7Ordwx7ITv+ihmpefTTyySL/0pVGErmV+cfbHes="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10469&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10468\",\"10463\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10462&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"L185Aioyc9BQCz0KBWnP4Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10461&&&&{"aesFlag":1,"varName":"proc_exe_raw","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jrFV0b18se7v5HvK/3mHoA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10464&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10457\",\"10458\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10463&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qyBWFcxtj3CKvRZY6qH6PzYI+Y12rMz+xdheWAqAcU8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10466&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10465\",\"10461\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10465&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10459\",\"10460\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10457&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0O8sVvfX7WQoLJxmDFf0WtGjJYkaR1eP6vJHEvxTjCo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10468&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10464\",\"10467\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10467&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10466\",\"10462\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10002","type":"script","value":"virus_name='20200819_dev_shm';\n___ACTION_JSON_10006=ACTION_JSON('3','name','kill_process','cmdline',cmd,'lock_file','1','3','name','kill_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10006_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,uuid,cwd,___ACTION_JSON_10006,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10007&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10007_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10007_rule_10001&&&&{"expressionStr":"procpath,in,'\\'/var/tmp/pty3\\',\\'/var/lock/pty3\\',\\'/var/run/pty3\\',\\'/dev/shm/pty3\\',\\'/tmp/pty3\\''","scriptNames":"[]","expressionName":"10472","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10007_rul [...]
-dipper.private.blink.rules&&&&express&&&&10472&&&&{"aesFlag":1,"varName":"procpath","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PYes9JUjllc1/j2duafDMw6eKBXFfQrN18HDTaN7h1sqjiLKsUQWVdrIGOGkmL9BwsPakkIH/BsSuxXAGdvG4QqgZTvkRus1GSgCW09CYNY="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10007_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10007_script_10001","type":"script","value":"virus_name='pty3';\n___ACTION_JSON_10007=ACTION_JSON('3','name','kill_process','procpath','/var/tmp/pty3','lock_file','1','3','name','kill [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10007_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10007_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10008&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10008_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10008_rule_10001&&&&{"expressionStr":"((procpath,in,'\\'/usr/bin/kaudited\\',\\'/usr/bin/kswaped\\',\\'/usr/bin/irqbalanced\\',\\'/usr/bin/rctlcli\\',\\'/usr/bin/systemd-network\\',\\'/usr/bin/pamdicks\\',\\'/var/lib/cc\\'')|(cmd,in,'\\'/usr/bin/kaudited\\',\\'/usr/bin/kswaped\\',\\'/usr/bin/irqbalanced\\',\\'/usr/bin/rctlcli\\',\\'/usr/bin/systemd-network\\',\\'/usr/bin/pamdicks\\',\\'/var/lib/ [...]
-dipper.private.blink.rules&&&&express&&&&10473&&&&{"aesFlag":1,"varName":"procpath","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HIpgKMyocjkX/1j+gc8nexpjKKR6jI54oY9hQywt8EQo5sKYu/rinv7k0hx+eDdKLPO8I9otp13VmNrFF3bVxp0jKFaOFExQjPmuFLvKrKao1WRbpxrHOQ/tVVLeHOo6694sseDu30Mx3oJUpWlX1RFz/985NDTzj4Y2pci90So8gYg+AOcUl8Rv8XCqg8aT"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10475&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JTrRys0LzjfPNCaa582pLHItc8I71ObQdGcCqqo+wQI="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10474&&&&{"aesFlag":1,"varName":"cmd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HIpgKMyocjkX/1j+gc8nexpjKKR6jI54oY9hQywt8EQo5sKYu/rinv7k0hx+eDdKLPO8I9otp13VmNrFF3bVxp0jKFaOFExQjPmuFLvKrKao1WRbpxrHOQ/tVVLeHOo6694sseDu30Mx3oJUpWlX1RFz/985NDTzj4Y2pci90So8gYg+AOcUl8Rv8XCqg8aT"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10477&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10473\",\"10474\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10476&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PCWwrcOjmeBbuLYPHG0JS3tTNU/U90AuQne3hzRtQio="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10479&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10477\",\"10478\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10478&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10475\",\"10476\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10008_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10008_script_10001","type":"script","value":"virus_name='pamdicks';\n___ACTION_JSON_10008=ACTION_JSON('2','name','truncate_and_lock_file','filepath','/usr/bin/pamdicks','2','name','tr [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10008_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10008_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10009&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10009_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10009_rule_10001&&&&{"expressionStr":"(procpath,==,'/usr/bin/bsd-port/getty')|(procpath,==,'/usr/bin/.sshd')","scriptNames":"[]","expressionName":"10482","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10009_rule_10001","ruleStatus":"0","type":"rule", [...]
-dipper.private.blink.rules&&&&express&&&&10480&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"U+cFpj3/fJdKAU2ArXG0NLYcbURKbp7Yon7RYKdYfQY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10482&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10480\",\"10481\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10481&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9DGpeFFf3c6C/q3li5wn/Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10009_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10009_script_10001","type":"script","value":"virus_name='getty';\n___concat_10001=concat('cp -f /usr/bin/dpkgd/ps /bin/ps','; cp -f /usr/bin/dpkgd/ps /usr/bin/ps','; cp -f /usr/bin/dp [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10009_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10009_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10010&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10010_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10010_rule_10001&&&&{"expressionStr":"procpath,regex,'/kinsing\\w*$'","scriptNames":"[]","expressionName":"10483","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10010_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","acti [...]
-dipper.private.blink.rules&&&&express&&&&10483&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"K2PO7IOFsF9fkS/f85etAA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10010_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10010_script_10001","type":"script","value":"virus_name='kinsing1';\n___ACTION_JSON_10010=ACTION_JSON('3','name','kill_process','procpath','/tmp/kdevtmpfsi','lock_file','1','3','name' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10010_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10010_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10011&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10011_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10011_rule_10001&&&&{"expressionStr":"procpath,==,'/tmp/kdevtmpfsi'","scriptNames":"[]","expressionName":"10484","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10011_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actio [...]
-dipper.private.blink.rules&&&&express&&&&10484&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"36099YLZTfSCzr3csLZN2A=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10011_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10011_script_10001","type":"script","value":"virus_name='kinsing2';\n___ACTION_JSON_10011=ACTION_JSON('3','name','kill_process','procpath','/tmp/kdevtmpfsi','lock_file','1','3','name' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10011_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10011_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10012&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10012_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10012_rule_10001&&&&{"expressionStr":"procpath,regex,'^/(tmp|etc)/(sysguard|sysupdate|networkservice)$'","scriptNames":"[]","expressionName":"10485","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10012_rule_10001","ruleStatus":"0","type":"rule","vers [...]
-dipper.private.blink.rules&&&&express&&&&10485&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4sP/o0gxAlw/Pxyze7Ge4Va7ITYujK84yjmaaOP2vEz/Nww2OfVYURkEKjFBfLcctvmFPQBAq4jbfkWBbxIojw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10012_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10012_script_10001","type":"script","value":"virus_name='update';\n___ACTION_JSON_10012=ACTION_JSON('3','name','kill_process','procpath','/etc/sysguard','lock_file','1','3','name','ki [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10012_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10012_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10013&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10013_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10013_rule_10001&&&&{"expressionStr":"(cmd,like,'[ksoftirqd/0]%')&(procpath,like,'/%')","scriptNames":"[]","expressionName":"10488","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10013_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","exten [...]
-dipper.private.blink.rules&&&&express&&&&10486&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iyc8SOI2CL4N7qyg1Oyfjw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10488&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10486\",\"10487\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10487&&&&{"aesFlag":1,"varName":"procpath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M1psS2sL+qyjR6s0zjGxqw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10013_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10013_script_10001","type":"script","value":"virus_name='ksoftirqd';\n___ACTION_JSON_10013=ACTION_JSON('3','name','kill_process','procpath','/etc/pam.d/zabbix_agent','lock_file','1',' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10013_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10013_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10014&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10014_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10014_rule_10001&&&&{"expressionStr":"(procpath,==,'/etc/.vhost/netvhost')|(procpath,==,'/etc/.etcservice/linuxservice')","scriptNames":"[]","expressionName":"10491","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10014_rule_10001","ruleStatus":"0","t [...]
-dipper.private.blink.rules&&&&express&&&&10491&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10489\",\"10490\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10490&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"glBpTffqmEn1NiABsTOPtM8FOPOKFl1gr2ApTxWqzm0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10489&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"7z3k388y892KZDrVE2hV2nvcQCxennFMBNyPOw2Ri04="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10014_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10014_script_10001","type":"script","value":"virus_name='vhost';\n___ACTION_JSON_10014=ACTION_JSON('3','name','kill_process','procpath','/etc/.etcservice/linuxservice','lock_file','1' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10014_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10014_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10015&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink_source_aegis_client_aegis_cl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10001","type":"script","value":"___lower_procpath_10009=lower(procpath);\n___lower_procpath_10010=lower(procpath);\n___lower_procpath_10011=lower(procpath);\n___lower_pro [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10015_rule_10001&&&&{"expressionStr":"(((___lower_procpath_10009,regex,'\\\\windows\\\\(syswow64|system32)\\\\drivers\\\\(svchost|taskmgr)\\.exe$')|(___lower_procpath_10010,regex,'\\\\windows\\\\(syswow64|system32)\\\\(wmiex|svhost)\\.exe$'))|(___lower_procpath_10011,regex,'\\\\windows\\\\temp\\\\(svchost|ttt)\\.exe$'))|(___lower_procpath_10012,==,'c:\\installed.exe')","scriptNames":"[]","expres [...]
-dipper.private.blink.rules&&&&express&&&&10493&&&&{"aesFlag":1,"varName":"___lower_procpath_10010","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"VPEtPZrTcTR05ttjrG+6M29pAzzfeRYW+z3vUGDGTj6fjQXttJfBbGpqmvOK8OuOqXxd9PCXE2mXeiBWQPEcZQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10492&&&&{"aesFlag":1,"varName":"___lower_procpath_10009","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"VPEtPZrTcTR05ttjrG+6M29pAzzfeRYW+z3vUGDGTj5uKWxzL2pROIxE1kThx2DJ9KFaVWBTOikSepQJhDbgZT1K20jlDLev+sDCZWnuoSE="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10495&&&&{"aesFlag":1,"varName":"___lower_procpath_10012","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"7K96DZJ+oabhNsXJy6/wnXb2w2h/79Nen3eyGN/yATk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10494&&&&{"aesFlag":1,"varName":"___lower_procpath_10011","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+bqqVvDs9ewuct9S+91tt68Erx9MHYjWflggrMsRuqGAlCbNFU7apzPpq6O84gdA"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10497&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10496\",\"10494\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10496&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10492\",\"10493\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10498&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10497\",\"10495\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10002","type":"script","value":"virus_name='qudongrensheng';\n___ACTION_JSON_10015=ACTION_JSON('3','name','kill_process','procpath',procpath,'lock_file','1','2','name','d [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10015_script_10003","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10016&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10016_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10016_rule_10001&&&&{"expressionStr":"((((((((procpath,==,'/tmp/x64b')|(procpath,==,'/tmp/x32b'))|((cmd,==,'python ')&(procpath,==,'')))|(cmd,==,'/bin/bash /tmp/go'))|(procpath,regex,'^(/dev/shm/|/var/run/|/home/[^/]+/|/root/|/tmp/)dbusex$'))|(cmd,regex,'curl\\s.+?wget\\s.+?http://[\\w\\.\\d:]+/xms.+?\\|\\s*bash\\b.+echo\\s'))|(cmd,like,'%http://5.196.247.12/%'))|(cmd,like,'%http://198.98.57.2 [...]
-dipper.private.blink.rules&&&&express&&&&10503&&&&{"aesFlag":1,"varName":"cmd","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XdhvFm5VMl3JbJHyrtXYiQc36/gyDbor9Vz7ULHp2rg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10514&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10513\",\"10505\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10502&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&10513&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10512\",\"10504\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10505&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bZOt4FZ8P2CRnl9EcyI7dXT01UKjIlvuQxQlQ7XRZb0UyuCBDXj3RXRUHK1/+lmix0tgY07KWny7X4gRn2lIIg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10516&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10515\",\"10507\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10504&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8w6r8h0lFafedUbpPD6um9MpIqG8XRe6VvhleFxtwVcqVV8/NHBkOonKlo48o5KEkal6ndokDe2CJqKNhDPGVA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10515&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10514\",\"10506\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10507&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"k4Hcqn1H9CyrXRfk5XZLKMj3WZRnk3tHf26lVxjxet0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10506&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FFNB320gPfSnaI+74L1/o+W7EhrtOECKfHmk6txzyvA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10517&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10516\",\"10508\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10509&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10499\",\"10500\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10508&&&&{"aesFlag":1,"varName":"cmd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ATBQXyDX23wLSQk7xmuQ02Z20dL4jVz7SafrWvDq+6w="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10499&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mKeuL1cbS+bmGA0NJdNOUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10510&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10501\",\"10502\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10501&&&&{"aesFlag":1,"varName":"cmd","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xC6yS//Tp5Lm7ZynRuL3MA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10512&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10511\",\"10503\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10500&&&&{"aesFlag":1,"varName":"procpath","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PyVWxHTv8xgKdzDgdVK+Yw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10511&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10509\",\"10510\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10016_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10016_script_10001","type":"script","value":"virus_name='dbusex';\n___ACTION_JSON_10016=ACTION_JSON('2','name','exec_command','cmd','chattr -ia -R /etc/cron.* ; chattr -ia -R /var/spo [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10016_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10016_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink_source_aegis_client_aegis_client_union_10017&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink_source_aegis_client_aegis_client_union_10017_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink_source_aegis_client_aegis_client_union_10017_rule_10001&&&&{"expressionStr":"(cmd,regex,'.+\\s{9,}$')&(procpath,regex,'^/usr/bin/[a-z]{10}$')","scriptNames":"[]","expressionName":"10520","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10017_rule_10001","ruleStatus":"0","type":"rule","versi [...]
-dipper.private.blink.rules&&&&express&&&&10518&&&&{"aesFlag":1,"varName":"cmd","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"H5GlG6Bg+t3LK6Su0vyvoA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10519&&&&{"aesFlag":1,"varName":"procpath","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XWm/XonJ1inMbJDH1eEQukKv+/8rzpMqz6ml9x6k+gI="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10520&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10518\",\"10519\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10017_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10017_script_10001","type":"script","value":"virus_name='usr_bin_changing';\n___ACTION_JSON_10017=ACTION_JSON('2','name','exec_command','cmd','\n for pid in `ls /proc/` \n [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink_source_aegis_client_aegis_client_union_10017_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink_source_aegis_client_aegis_client_union_10017_script_10002","type":"script","value":"retainField(traceid,procpath,create_time,pid,action_json_str,uuid,cwd,module_id,data_name,process_status,proc_exe_raw,procfs_fd,exec_info_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10021&&&&{"expressionStr":"virus_name,in,'\\'pty3\\',\\'pamdicks\\',\\'getty\\',\\'kinsing1\\',\\'kinsing2\\',\\'update\\',\\'ksoftirqd\\',\\'vhost\\',\\'20200819_dev_shm\\',\\'general_linux_kill_process\\',\\'general_linux_kill_and_lock\\',\\'conhou\\',\\'SXS\\',\\'kill_process_with_pid\\',\\'qudongrensheng\\',\\'dbusex\\''","scriptNames":"[]","expressionName":"10521","varNames":"[]","className":"com.aliyu [...]
-dipper.private.blink.rules&&&&express&&&&10521&&&&{"aesFlag":1,"varName":"virus_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8GCrWbqPt2TLsVAelAldIWw7m/fSeYhSmt+Q7C7tDHuvrn7g3TOWneTfzx7OTfjtrxF2CmIJuot3xJrhbmIxijAUc8eIP6029nsQ5XBNwqlwljknzTgqqrf59XnGDyAtU/2a74zlhga2gLiZ4kqhbXpz5Kv+xcBVilVtqb1fHmAQbicS++MiBNZoxlxmHqFoMQ82Zukwwx/sfTR/7ECaK1xp8NB3xkNf9Xopq1 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10105&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10105","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常进程(体检)';\nlevel='high';\n___cast_10096=cast(uuid,'string');\n___cast_10097=cast(logtime,'string');\n___cast_10098=cast(cm [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10106&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10106","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10010&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10010","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_client_aegis_client_rule_10022&&&&{"expressionStr":"bin_path,regex,'^/(tmp/|bin/|usr/bin/)(initdr|bprofr|dbused|dbusex|xms|sysdr|crondr)$'","scriptNames":"[]","expressionName":"10522","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_rule_10022","ruleStatus":"0","type":"rule","version":"1.0","extendField": [...]
-dipper.private.blink.rules&&&&express&&&&10522&&&&{"aesFlag":1,"varName":"bin_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+RWJU6SvYfw4fXHCca19b+wmqyn5a2yxxPxYMKBm6Cu0wiifpqHjXcN0pClCIF3JrfQxwpFFRQTgZSrgcPLBYiAdb08yNdYwWUcZ9SIbRiI="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10107&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10107","type":"script","value":"___ACTION_JSON_10018=ACTION_JSON('2','name','truncate_and_lock_file','filepath',bin_path,'2','name','truncate_and_lock_file','filepath','/usr/bin/initdr','2','name','truncate_and_lock_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10108&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10108","type":"script","value":"retainField(traceid,msg,module_id,data_name,exec_info_data,data_type,bin_path,aliuid,cmd,action_json_str,logtime,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10109&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10109","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10108=cast(uuid,'string');\n___cast_10109=cast(logtime,'string');\n___cast_10110=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10110&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10110","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10011&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10011","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10111&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10111","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='Rootkit后门(体检)';\nlevel='high';\n___cast_10116=cast(uuid,'string');\n___cast_10117=cast(logtime,'string');\n___cast_10118=ca [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10112&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10112","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10012&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10012","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10113&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10113","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='隐藏的内核模块';\nlevel='high';\n___cast_10129=cast(uuid,'string');\n___cast_10130=cast(raw_buffer,'string');\n___cast_10131=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10114&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10114","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10013&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10013","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10115&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10115","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='持久化后门';\nevent_name='异常计划任务(体检)';\nlevel='high';\n___cast_10134=cast(uuid,'string');\n___cast_10135=cast(logtime,'string');\n___cast_10136=cast( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_client_aegis_client_script_10116&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_client_aegis_client_script_10116","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_client_aegis_client_channel_10014&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_client_aegis_client_channel_10014","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syn [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.client&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.source.aegis.client.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\\\\":\\\\\\\"com.aliyun.yund [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.client;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.client;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.source.aegis.client.tags","syncTimeout":"5000","groupName":"blink.source.aegis.client.group","isBatchMessage":"true","isAutoFlush": [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert;json_concat_10002&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert;json_concat_10002","type":"scri [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert;salt_hash_10001&&&&{"fullClassName":"com.aliyun.sec.lyra.hsh.udf.ext.SaltHash","initMethodName":"open","functionName":"salt_hash","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert;salt_hash_10001","type":"script", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert&&&&{"isJsonData":"true","project":"ali-beaver-net-log","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert","type":"channel","timeout":"30000","accessId":"replace_accessId_sls","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxF [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10001","type":"script","value":"___!null_10008=!null(qname);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_rule_10001&&&&{"expressionStr":"___!null_10008&(qname,!in,'\\'fget-career.com\\',\\'tv.2345.com\\',\\'img.sobot.com\\',\\'rocksat.ddns.net\\'')","scriptNames":"[]","expressionName":"10524","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_ru [...]
-dipper.private.blink.rules&&&&express&&&&10524&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10008\",\"10523\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10523&&&&{"aesFlag":1,"varName":"qname","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hNKGAVqoWpMgEUKB7jaj4md1Tb4nBp1l7iFQTsSKN1OZKMy6uPZv+x8c8qvsoQ1srCCsGvGbprGzr/X3rE9nMb/xES0OKcksBBITIzSLe0c="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10002","type":"script","value":"___REGEXP_EXTRACT_10001=REGEXP_EXTRACT(answer,'([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})',1);\nmalicious_ip=___REGEXP_EXTRACT_10 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10003","type":"script","value":"retainField(query_name,dns_host,client_ip,malicious_ip,query_time,tunnel);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10004","type":"script","value":"___len_10002=len(malicious_ip);\n___null_10011=null(malicious_ip);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_rule_10002&&&&{"expressionStr":"((malicious_ip,regex,'^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})$')&(___len_10002,>,double,8))|___null_10011","scriptNames":"[]","expressionName":"10528","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_a [...]
-dipper.private.blink.rules&&&&express&&&&10525&&&&{"aesFlag":1,"varName":"malicious_ip","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"o+lYaT32Ycuad4ukPH0R75ILq6S5FS30z+RNbKvU85d1yM/FEqcwYQt+Q9ukp9xnAqsb9WZyTY3E1yicqpL7NQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10527&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10525\",\"10526\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10526&&&&{"varName":"___len_10002","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10528&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10527\",\"___null_10011\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10005","type":"script","value":"retainField(query_name,dns_host,client_ip,malicious_ip,query_time,tunnel);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10006","type":"script","value":"___SALT_HASH_10001=SALT_HASH(query_name);;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&dataSource&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_dataSource_10001&&&&{"className":"com.aliyun.yundun.dipper.configurable.http.resource.JDBCDataSource","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_dataSource_10001","userName":"xxxxxxxxxx","type":"dataSource","version":"1.0","url":"intelligence.rds.jdbc.url","timeout":"30000","activtyTimeOut":"3000","password":"xxxxxxxxx","isAutoFlush":"false","outpu [...]
-dipper.private.blink.rules&&&&intelligence&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_intelligence_10001&&&&{"className":"com.aliyun.filter.intelligence.DomainIntelligenceCache","pollingTimeMintue":"30","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_intelligence_10001","idFieldName":"id","batchSize":"3000","datasourceName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_dataSourc [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10007","type":"script","value":"intelligence('dipper.private.blink.rules','blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_intelligence_10001',___SALT_HASH_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10008","type":"script","value":"aliuid='';\nuuid='';\n___concat_10002=concat('aliyun_dns : ',dns_host);\ndns_server=___concat_10002;rm('___concat_10002');\ndns_port='53'; [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10009","type":"script","value":"is_c2=p.is_c2;\nis_malicious_source=p.is_malicious_source;\nis_mining_pool=p.is_mining_pool;\nis_phishing=p.is_phishing;\nretainField(dns_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10010","type":"script","value":"retainField(is_malicious_source,is_mining_pool,query_name,dns_server,dns_port,is_c2,client_ip,malicious_ip,query_time,tunnel,is_phishing); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10011","type":"script","value":"aliuid='';\nuuid='';\ndst_port='';\nproc_path='';\ncmdline='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10012","type":"script","value":"retainField(proc_path,dns_server,uuid,is_malicious_source,cmdline,is_mining_pool,query_name,dns_port,dst_port,is_c2,client_ip,aliuid,malic [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10013","type":"script","value":"ali_uid=aliuid;\nevent_type='威胁情报';\n___in_10001=contain(is_malicious_source,'1')\n;___in_10002=contain(is_phishing,'1')\n;___in_10003=con [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_script_10014","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_bevear_dns_adl_sas_apsara_intelligence_dns_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInO [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.bevear.dns&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.source.bevear.dns.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\\\\":\\\\\\\"com.aliyun.yundun.d [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.bevear.dns;channel&&&&{"isJsonData":"true","project":"blink.source.bevear.dns.project","concurrentCount":"4","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.bevear.dns;channel","type":"channel","timeout":"30000","accessId":"blink.source.bevear.dns.accessId","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCount" [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation;json_concat_10003&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation;json_concat_100 [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10001","type":"script","value":"___lower_uid_name_10001=lower(uid_name);\n___lower_file_name_10001=lower(file_name);\n___!null_10009=!null(cmdline);\n___b [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10001&&&&{"expressionStr":"((((((dockercontainerid,==,'N/A')&((___lower_uid_name_10001,==,'root')|(uid,==,double,0)))&(___lower_file_name_10001,in,'\\'bash\\',\\'sh\\',\\'dash\\',\\'ash\\',\\'tcsh\\',\\'csh\\',\\'ksh\\',\\'zsh\\''))&___!null_10009)&(cmdline,!in,'\\'N/A\\',\\'\\''))&(((___blink_instr_10001,==,double,0)|((___lower_cmdline_10002,regex,'^[a-z\\/]+\\s+-c')&(___reve [...]
-dipper.private.blink.rules&&&&express&&&&10536&&&&{"aesFlag":1,"varName":"___reverse_10002","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BBydeM9HIhzVgDNQknyTW2YqZypw1YMRsPuo4g1fQFsA+K07lbLjD4VKjxg4fnCylP7M7H1sAtd2sn2NNJf7Bw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10535&&&&{"aesFlag":1,"varName":"___lower_cmdline_10002","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"eJuXezsg41SClgVzsqU6rQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10557&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10551\",\"10556\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10538&&&&{"aesFlag":1,"varName":"dockercontainerid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10537&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Zco97o6UrrSZ0elsH7Q0Z81dTm4v+WG9f5wJTk8gquPLsPdY/WyRBliLUr69uA61Xk2v4lpU+OCt+L4ruCbfwA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10539&&&&{"aesFlag":1,"varName":"uid_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QhO8c5+E1GcoCgDIqz67dw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10550&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10549\",\"10537\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10530&&&&{"aesFlag":1,"varName":"___lower_uid_name_10001","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYWKBDw0xxoXMPJIP1jDuQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10552&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10538\",\"10539\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10551&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10547\",\"10550\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10532&&&&{"aesFlag":1,"varName":"___lower_file_name_10001","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QEp6CiJU27OLzwRtBGXIEhVTK6eSTiKR31dK4XVFkz9u3lRpcCT2PS6e+eCuoy5slti7BVH9KFO+ljo720o5lg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10554&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10553\",\"10540\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10531&&&&{"varName":"uid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10553&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10552\",\"___!null_10010\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10534&&&&{"varName":"___blink_instr_10001","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10556&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10555\",\"10542\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10533&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QhO8c5+E1GcoCgDIqz67dw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10555&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10554\",\"10541\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10547&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10546\",\"10533\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10546&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10545\",\"___!null_10009\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10549&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10534\",\"10548\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10548&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10535\",\"10536\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10529&&&&{"aesFlag":1,"varName":"dockercontainerid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10541&&&&{"aesFlag":1,"varName":"uid","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4ROl+e4g5JZAI9EFfD9CUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10540&&&&{"aesFlag":1,"varName":"uid_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYWKBDw0xxoXMPJIP1jDuQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10543&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10530\",\"10531\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10542&&&&{"aesFlag":1,"varName":"file_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"h5esfc211d7HPaABmIo2RKX9LiQVTyONPcxb+6/EuuG8oPglo1aUxNrKM6Yoh3/5wwMi6keLnLkGByygcyh+fCA1eR4snN/3ZB4Mnw9vQpL9TWWxK3TldEkn8PlDVWUjNfmNfHXj+wyWvcStCeAIFjqZyWLjH02Upvv7yFRD+KPtht6iL3RIMp60WvTGOUOF7LgAh+NFz9yg9h1sN5PHTlUui0WvS7KCZ6oEgQ [...]
-dipper.private.blink.rules&&&&express&&&&10545&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10544\",\"10532\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10544&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10529\",\"10543\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10003","type":"script","value":"___lower_uid_name_10002=lower(uid_name);\n___lower_file_name_10002=lower(file_name);\n___!null_10011=!null(cmdline);\n___b [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10002&&&&{"expressionStr":"(((((dockercontainerid,==,'N/A')&((___lower_uid_name_10002,==,'root')|(uid,==,double,0)))&(___lower_file_name_10002,in,'\\'bash\\',\\'sh\\',\\'dash\\',\\'ash\\',\\'tcsh\\',\\'csh\\',\\'ksh\\',\\'zsh\\''))&___!null_10011)&(cmdline,!in,'\\'N/A\\',\\'\\''))&(((___blink_instr_10002,==,double,0)|((___lower_cmdline_10003,regex,'^[a-z\\/]+\\s+-c')&(___rever [...]
-dipper.private.blink.rules&&&&express&&&&10570&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10569\",\"___!null_10011\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10558&&&&{"aesFlag":1,"varName":"dockercontainerid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10569&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10568\",\"10561\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10568&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10558\",\"10567\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10559&&&&{"aesFlag":1,"varName":"___lower_uid_name_10002","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYWKBDw0xxoXMPJIP1jDuQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10561&&&&{"aesFlag":1,"varName":"___lower_file_name_10002","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QEp6CiJU27OLzwRtBGXIEhVTK6eSTiKR31dK4XVFkz9u3lRpcCT2PS6e+eCuoy5slti7BVH9KFO+ljo720o5lg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10572&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10564\",\"10565\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10560&&&&{"varName":"uid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10571&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10570\",\"10562\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10563&&&&{"varName":"___blink_instr_10002","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10574&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10573\",\"10566\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10562&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QhO8c5+E1GcoCgDIqz67dw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10573&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10563\",\"10572\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10565&&&&{"aesFlag":1,"varName":"___reverse_10004","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BBydeM9HIhzVgDNQknyTW2YqZypw1YMRsPuo4g1fQFsA+K07lbLjD4VKjxg4fnCylP7M7H1sAtd2sn2NNJf7Bw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10564&&&&{"aesFlag":1,"varName":"___lower_cmdline_10003","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"eJuXezsg41SClgVzsqU6rQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10575&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10571\",\"10574\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10567&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10559\",\"10560\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10566&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Zco97o6UrrSZ0elsH7Q0Z81dTm4v+WG9f5wJTk8gquPLsPdY/WyRBliLUr69uA61Xk2v4lpU+OCt+L4ruCbfwA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10004","type":"script","value":"filename=file_name;\nfilepath=file_path;\npcmdline=parent_cmd_line;\npfilename=parent_file_name;\npfilepath=parent_file_pa [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10005","type":"script","value":"retainField(k8spodname,dockerimageid,perm,pid,k8snodeid,host_uuid,sid,uid,k8snodename,cmdline,pfilename,filepath,time_win, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10006","type":"script","value":"___!null_10012=!null(uid_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10003&&&&{"expressionStr":"(((((dockercontainerid,==,'N/A')&(uid_name,!in,'\\'N/A\\',\\'\\''))&___!null_10012)&(uid_name,<>,'root'))&(uid,<>,'0'))&(file_name,!in,'\\'sudo\\',\\'su\\',\\'dzdo\\',\\'expr\\',\\'modprobe\\',\\'systemd-cgroups-agent\\',\\'java\\',\\'php\\',\\'php-fpm\\',\\'python\\',\\'N/A\\',\\'grep\\',\\'kmod\\',\\'busybox\\',\\'rm\\',\\'conhost.exe\\',\\'date\\' [...]
-dipper.private.blink.rules&&&&express&&&&10579&&&&{"aesFlag":1,"varName":"uid","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4ROl+e4g5JZAI9EFfD9CUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10581&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10576\",\"10577\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10580&&&&{"aesFlag":1,"varName":"file_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"h5esfc211d7HPaABmIo2RKX9LiQVTyONPcxb+6/EuuG8oPglo1aUxNrKM6Yoh3/5wwMi6keLnLkGByygcyh+fCA1eR4snN/3ZB4Mnw9vQpL9TWWxK3TldEkn8PlDVWUjNfmNfHXj+wyWvcStCeAIFjqZyWLjH02Upvv7yFRD+KPtht6iL3RIMp60WvTGOUOF7LgAh+NFz9yg9h1sN5PHTlUui0WvS7KCZ6oEgQ [...]
-dipper.private.blink.rules&&&&express&&&&10583&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10582\",\"10578\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10582&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10581\",\"___!null_10012\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10585&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10584\",\"10580\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10584&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10583\",\"10579\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10576&&&&{"aesFlag":1,"varName":"dockercontainerid","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10578&&&&{"aesFlag":1,"varName":"uid_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"AYWKBDw0xxoXMPJIP1jDuQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10577&&&&{"aesFlag":1,"varName":"uid_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QhO8c5+E1GcoCgDIqz67dw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10007","type":"script","value":"___unixtime_10002=unixtime(scan_time,'yyyy-MM-dd HH:mm:ss');\n___division_10002=division(___unixtime_10002,3600);\n___floo [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10008","type":"script","value":"retainField(uid_name,file_path,cmdline,perm,time_win,pid,parent_file_path,parent_cmd_line,scan_time,host_uuid,sid,ppid);", [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_window_10001&&&&{"groupByFieldName":"host_uuid;cmdline;filename;filepath;pcmdline;pfilename;pfilepath;perm;pid;pid_start_time;ppid;scan_time;sid;tty;uid;uid_name;docker_file_path;dockercontainerid;dockerimageid;dockerimagename;k8sclusterid;k8snamespace;k8snodeid;k8snodename;k8spodname;time_win","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.mo [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10009","type":"script","value":"retainField(k8spodname,dockerimageid,perm,pid,k8snodeid,host_uuid,sid,uid,k8snodename,cmdline,pfilename,filepath,time_win, [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_window_10001&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_window_10001","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","having [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_left_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.WindowChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"window\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.source.ae [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_right_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpiplin [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_right_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_join_right_10001_script_10001","type":"script","value":"retainField(uid_name,file_path,cmdline,perm,time_win,pid,parent_fi [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10010","type":"script","value":"___unixtime_10003=unixtime(scan_time);\n___unixtime_10004=unixtime(parent.scan_time);\n___subtraction_10001=subtraction(__ [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10004&&&&{"expressionStr":"___abs_10001,<,double,15","scriptNames":"[]","expressionName":"10586","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField": [...]
-dipper.private.blink.rules&&&&express&&&&10586&&&&{"varName":"___abs_10001","functionName":"<","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"15.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10011","type":"script","value":"pperm=parent.perm;\npusername=parent.uid_name;\npppid=parent.ppid;\npppfilepath=parent.parent_file_path;\npppcmdline=paren [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10012","type":"script","value":"scan_time=parent.scan_time;\nsid=parent.sid;\npid=parent.pid;\ntime_win=parent.time_win;\ncmdline=parent.cmdline;\nhost_uu [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10013","type":"script","value":"___regexp_10001=regex(cmdline,'virustotal');\n___compare_10012=equals(___regexp_10001,true);\nif(___compare_10012){___case [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10014","type":"script","value":"retainField(is_white,k8spodname,file_path,dockerimageid,pppfilepath,perm,pid,k8snodeid,host_uuid,sid,uid,k8snodename,cmdli [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10015","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='疑似权限提升';\nlevel='high';\n___cast_10154=cast(host_uuid,'strin [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_script_10016","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,host_uuid);","version":"1.0" [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_privilege_escalation_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"fa [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;sas_black_rule_v2_10001&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v2","initMethodName":"open","functionName":"sas_black_rule_v2","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;sas_black_rule_v2_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;json_concat_10004&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;json_concat_10004","type":"sc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;b64_auto_10001&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature;b64_auto_10001","type":"script","version":"1. [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10001","type":"script","value":"___!null_10013=!null(cmdline);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10001&&&&{"expressionStr":"___!null_10013&(cmdline,<>,'')","scriptNames":"[]","expressionName":"10588","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","ac [...]
-dipper.private.blink.rules&&&&express&&&&10587&&&&{"aesFlag":1,"varName":"cmdline","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10588&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10013\",\"10587\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10002","type":"script","value":"uuid=host_uuid;\nfilename=file_name;\npfilename=parent_file_name;\npcmdline=parent_cmd_line;\nfilepath=file_path;\npfilepath=parent_file [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10003","type":"script","value":"retainField(k8spodname,dockerimageid,dockercontainerid,dockerimagename,pid,k8snodeid,k8sclusterid,uuid,ppid,sid,uid_name,b64_cmdline,k8s [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10004","type":"script","value":"retainField(k8spodname,dockerimageid,dockercontainerid,dockerimagename,pid,k8snodeid,k8sclusterid,uuid,ppid,sid,uid_name,b64_cmdline,k8s [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10005","type":"script","value":"___lower_cmdline_10004=lower(cmdline);\n___REGEXP_REPLACE_10006=REGEXP_REPLACE(___lower_cmdline_10004,'\\s+',' ');\nstd_cmdline=___REGEX [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10006","type":"script","value":"retainField(k8spodname,dockerimageid,std_filepath,pid,k8snodeid,uuid,std_pfilename,sid,k8snodename,cmdline,pfilename,filepath,std_filena [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10007","type":"script","value":"___SAS_BLACK_RULE_V2_10001=SAS_BLACK_RULE_V2(257,1,'std_cmd_line',std_cmdline,'cmd_line',cmdline,'cmdline',cmdline,'filename',filename,' [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10008","type":"script","value":"retainField(k8spodname,dockerimageid,std_filepath,pid,k8snodeid,uuid,std_pfilename,sid,k8snodename,cmdline,pfilename,filepath,std_filena [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10002&&&&{"expressionStr":"(sas_black_rule_ob_result,>,double,0)|(sas_black_rule_online_result,>,double,0)","scriptNames":"[]","expressionName":"10591","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10002","ruleStatus":"0","ty [...]
-dipper.private.blink.rules&&&&express&&&&10590&&&&{"varName":"sas_black_rule_online_result","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10591&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10589\",\"10590\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10589&&&&{"varName":"sas_black_rule_ob_result","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10009","type":"script","value":"retainField(k8spodname,dockerimageid,std_filepath,pid,k8snodeid,uuid,std_pfilename,sid,k8snodename,cmdline,pfilename,filepath,std_filena [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10003&&&&{"expressionStr":"((sas_black_rule_online_result,>,double,0)|(sas_black_rule_ob_result,in,'954,956'))|(((sas_black_rule_ob_result,in,'919')&(filename,in,'\\'ssh\\''))|((sas_black_rule_ob_result,>=,double,972)&(sas_black_rule_ob_result,<=,double,1003)))","scriptNames":"[]","expressionName":"10602","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor [...]
-dipper.private.blink.rules&&&&express&&&&10602&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10598\",\"10601\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10601&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10599\",\"10600\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10592&&&&{"varName":"sas_black_rule_online_result","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10594&&&&{"aesFlag":1,"varName":"sas_black_rule_ob_result","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yMqD2bBfahlBo0PPn2vLJg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10593&&&&{"aesFlag":1,"varName":"sas_black_rule_ob_result","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"x41L6PfNXwd5JNipSA5WCw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10596&&&&{"varName":"sas_black_rule_ob_result","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"972.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10595&&&&{"aesFlag":1,"varName":"filename","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qVChOq21zoNjgEZ6Rf+lqQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10598&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10592\",\"10593\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10597&&&&{"varName":"sas_black_rule_ob_result","functionName":"<=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1003.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10600&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10596\",\"10597\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10599&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10594\",\"10595\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10010","type":"script","value":"___in_10005=contain(sas_black_rule_online_result,602,603,618)\n;___REGEXP_REPLACE_10012=REGEXP_REPLACE(std_filename,'([^\\\\\\:\\>\\-\\& [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10011","type":"script","value":"retainField(k8spodname,dockerimageid,k8snodename,docker_file_path,dockercontainerid,dockerimagename,k8spodname,dockerimageid,std_filepat [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10012","type":"script","value":"___md5_10004=md5(abk_raw);\nabk=___md5_10004;rm('___md5_10004');\n___regexp_10002=regex(std_cmdline,'virustotal');\n___compare_10014=equ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10013","type":"script","value":"retainField(is_white,k8spodname,dockerimageid,std_filepath,pid,k8snodeid,uuid,std_pfilename,sid,k8snodename,cmdline,pfilename,filepath,s [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10004&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"10603","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames" [...]
-dipper.private.blink.rules&&&&express&&&&10603&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10014","type":"script","value":"retainField(k8spodname,dockerimageid,std_filepath,pid,k8snodeid,uuid,std_pfilename,sid,k8snodename,cmdline,pfilename,filepath,std_filena [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10015","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='linux可疑命令执行';\nlevel='high';\n___cast_10187=cast(scan_time,'string');\n___ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10016","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_script_10017","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]" [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_black_feature_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeI [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"o [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;sas_black_rule_v3_10001&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v3","initMethodName":"open","functionName":"sas_black_rule_v3","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;sas_black_rule_v3_10001","type [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;b64_auto_10002&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;b64_auto_10002","type":"script","version":"1.0","closeMet [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;instr_10001&&&&{"fullClassName":"com.lyra.xs.udf.ext.instr","initMethodName":"open","functionName":"instr","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;instr_10001","type":"script","version":"1.0","closeMethodName":"cl [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;json_concat_10005&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;json_concat_10005","type":"script","versi [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;sas_black_rule_v2_10002&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v2","initMethodName":"open","functionName":"sas_black_rule_v2","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;sas_black_rule_v2_10002","type [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;b64_auto_10003&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;b64_auto_10003","type":"script","version":"1.0","closeMet [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;instr_10002&&&&{"fullClassName":"com.lyra.xs.udf.ext.instr","initMethodName":"open","functionName":"instr","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2;instr_10002","type":"script","version":"1.0","closeMethodName":"cl [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"1 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10001","type":"script","value":"logtime=scan_time;\nuuid=host_uuid;\nproc_name=file_name;\ncmd=cmdline;\npproc_name=parent_file_name;\npcmd=parent_cmd_line;\npexe=file_path;\nppexe [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10002","type":"script","value":"retainField(pexe,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10003","type":"script","value":"___lower_proc_name_10001=lower(proc_name);\n___lower_pproc_name_10001=lower(pproc_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10001&&&&{"expressionStr":"(((((___lower_proc_name_10001,like,'%.exe')|(___lower_pproc_name_10001,like,'%.exe'))|(pexe,like,'_:/%'))|(ppexe,like,'_:/%'))|(pexe,like,'//%'))|(ppexe,like,'//%')","scriptNames":"[]","expressionName":"10614","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aeg [...]
-dipper.private.blink.rules&&&&express&&&&10613&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10612\",\"10608\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10612&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10611\",\"10607\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10604&&&&{"aesFlag":1,"varName":"___lower_proc_name_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10614&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10613\",\"10609\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10606&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10605&&&&{"aesFlag":1,"varName":"___lower_pproc_name_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10608&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10607&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10609&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10611&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10610\",\"10606\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10610&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10604\",\"10605\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10004","type":"script","value":"data_type='online';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10005","type":"script","value":"retainField(pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10002&&&&{"expressionStr":"data_type,==,'online'","scriptNames":"[]","expressionName":"10615","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10615&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MhriRxEga5GjFlRBwhEN4Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10006","type":"script","value":"retainField(pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10007","type":"script","value":"___unixtime_10006=unixtime(logtime);\nunixtime=___unixtime_10006;rm('___unixtime_10006');\n___lower_proc_name_10002=lower(proc_name);\nclean_proc=__ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10008","type":"script","value":"retainField(unixtime,clean_proc,clean_cmd_noquote,clean_pproc,pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","ve [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10009","type":"script","value":"___multiplication_10001=multiplication(60,60);\n___multiplication_10002=multiplication(___multiplication_10001,24);\n___division_10004=division(unix [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10010","type":"script","value":"retainField(shot_pcmd,timepart_1hour,log_uid,timepart_1day,unixtime,pid,ppexe,uuid,pproc_name,ppid,clean_proc,clean_cmd_noquote,pexe,clean_pproc,dat [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_rule_10001&&&&{"expressionStr":"data_type,<>,'online'","scriptNames":"[]","expressionName":"10616","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_rule_10001","ruleStatus":"0","type":"rule","version":"1. [...]
-dipper.private.blink.rules&&&&express&&&&10616&&&&{"aesFlag":1,"varName":"data_type","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MhriRxEga5GjFlRBwhEN4Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10001_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aeg [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10002_script_10001","type":"script","value":"___null_10013=null(p2_logtime);\nif(___null_10013){___if_v3_10001=''}else{___if_v3_10001=p2_logtime};\ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10002_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_rule_10001&&&&{"expressionStr":"step_2_continue,==,boolean,false","scriptNames":"[]","expressionName":"10617","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_rule_10001","ruleStatus":"0","type":"rule","v [...]
-dipper.private.blink.rules&&&&express&&&&10617&&&&{"varName":"step_2_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10003_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_rule_10001&&&&{"expressionStr":"step_3_continue,==,boolean,false","scriptNames":"[]","expressionName":"10618","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_rule_10001","ruleStatus":"0","type":"rule","v [...]
-dipper.private.blink.rules&&&&express&&&&10618&&&&{"varName":"step_3_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_script_10001","type":"script","value":"___null_10031=null(p2_logtime);\nif(___null_10031){___if_v_tmp_ayd871y7dy12_10001=''}else{___if_v_tmp_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10004_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005_rule_10001&&&&{"expressionStr":"chain_level,in,'\\'p2\\',\\'p3\\''","scriptNames":"[]","expressionName":"10619","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005_rule_10001","ruleStatus":"0","type":"rule", [...]
-dipper.private.blink.rules&&&&express&&&&10619&&&&{"aesFlag":1,"varName":"chain_level","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"H2zd1kq1OIhVTUDIiE4pYw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10005_script_10001","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,p2_proc_name,p2_pcmd [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10006&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aeg [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10006_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10006_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='' [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10006_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10006_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,p2_proc_name,p2_pcmd [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10003&&&&{"expressionStr":"clean_proc,in,'\\'cmd.exe\\',\\'powershell.exe\\''","scriptNames":"[]","expressionName":"10620","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField": [...]
-dipper.private.blink.rules&&&&express&&&&10620&&&&{"aesFlag":1,"varName":"clean_proc","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YGeHkwJkc4xJFjK1BtvAndrjJb4sJfqN+JRKfoTDfew="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10011","type":"script","value":"retainField(unixtime,shot_pcmd,timepart_1day,pid,ppexe,uuid,pproc_name,ppid,clean_proc,timepart_1hour,clean_cmd_noquote,log_uid,pexe,clean_pproc,dat [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10012","type":"script","value":"___lower_pproc_name_10003=lower(pproc_name);\n___in_10006=contain(___lower_pproc_name_10003,'cmd.exe','powershell.exe')\n;if(___in_10006){___if_v0_1 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10013","type":"script","value":"retainField(step_2_continue,unixtime,shot_pcmd,timepart_1day,pid,ppexe,uuid,pproc_name,ppid,clean_proc,timepart_1hour,clean_cmd_noquote,log_uid,pexe [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_window_10001&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_window_10001","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":"[]","extendField":"[ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_rule_10001\\\\\\\\\\\\\\\"]\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_rule_10001&&&&{"expressionStr":"step_2_continue,==,boolean,true","scriptNames":"[]","expressionName":"10621","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_rule_10001","ruleStatus":"0","type":"r [...]
-dipper.private.blink.rules&&&&express&&&&10621&&&&{"varName":"step_2_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"true"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_script_10001","type":"script","value":"___uuid_10002=uuid();\n___concat_10006=concat(uuid,___uuid_10002);\nthe_uuid_dayd71y28y17=___c [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10001_script_10002","type":"script","value":"retainField(the_uuid_dayd71y28y17,unixtime,step_2_continue,shot_pcmd,timepart_1day,pid,ppexe,u [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_right_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.WindowChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"window\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.source.aegis.proc_adl [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10014","type":"script","value":"p2_logtime=b.logtime;\np2_unixtime=b.unixtime;\np2_uuid=b.uuid;\np2_proc_name=b.proc_name;\np2_cmd=b.cmd;\np2_pproc_name=b.pproc_name;\np2_pcmd=b.pc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10015","type":"script","value":"aliuid=b.aliuid;\nclean_cmd_noquote=b.clean_cmd_noquote;\ntimepart_1day=b.timepart_1day;\ntimepart_1hour=b.timepart_1hour;\ndata_type=b.data_type;\n [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10004&&&&{"expressionStr":"r_Dau8d192yd712yd7,==,double,1","scriptNames":"[]","expressionName":"10622","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":" [...]
-dipper.private.blink.rules&&&&express&&&&10622&&&&{"varName":"r_Dau8d192yd712yd7","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10016","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,p2_clean_proc,timepart_1day,pid,ppexe,uuid,p2_unixtime,timepart_1hour,pexe,aliuid,p2_proc_name [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_window_10002&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_window_10002","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":"[]","extendField":"[ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002_rule_10001\\\\\\\\\\\\\\\"]\\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002_rule_10001&&&&{"expressionStr":"step_3_continue,==,boolean,true","scriptNames":"[]","expressionName":"10623","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002_rule_10001","ruleStatus":"0","type":"r [...]
-dipper.private.blink.rules&&&&express&&&&10623&&&&{"varName":"step_3_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"true"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_left_10002_script_10001","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,timepart_1day,p2_clean_proc,pid,ppexe,uu [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_join_right_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.WindowChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"window\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.source.aegis.proc_adl [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10017","type":"script","value":"p3_logtime=b.logtime;\np3_unixtime=b.unixtime;\np3_uuid=b.uuid;\np3_proc_name=b.proc_name;\np3_cmd=b.cmd;\np3_pproc_name=b.pproc_name;\np3_pcmd=b.pc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10018","type":"script","value":"clean_proc=b.clean_proc;\nclean_cmd_noquote=b.clean_cmd_noquote;\ntimepart_1day=b.timepart_1day;\ndata_type=b.data_type;\nlog_uid=b.log_uid;\naliuid [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10005&&&&{"expressionStr":"r_Dadu1y2871yd2821tg28,==,double,1","scriptNames":"[]","expressionName":"10624","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionName [...]
-dipper.private.blink.rules&&&&express&&&&10624&&&&{"varName":"r_Dadu1y2871yd2821tg28","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10019","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,p3_uuid,p3_shot_pcmd,pid,uuid,p2_unixtime,timepart_1hour,p3_pid,step_3_continue,pexe,p2_proc_n [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10020","type":"script","value":"___lower_p2_pproc_name_10001=lower(p2_pproc_name);\n___in_10007=contain(___lower_p2_pproc_name_10001,'cmd.exe','powershell.exe')\n;if(___in_10007){_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10021","type":"script","value":"retainField(step_3_continue,unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,timepart_1day,p2_clean_proc,pid,ppexe,uuid,p2_unixtime,timepart_1hour,pexe,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10007&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aeg [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10007_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10007_script_10001","type":"script","value":"chain_level='p1';\nchain_pproc_name=pproc_name;\nchain_pcmd=pcmd;\nchain_ppexe=ppexe;\nchain_ppid=ppid [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10007_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10007_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,uuid,p3_pid,pex [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_rule_10001&&&&{"expressionStr":"p2_pproc_name,<>,''","scriptNames":"[]","expressionName":"10625","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_rule_10001","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&10625&&&&{"aesFlag":1,"varName":"p2_pproc_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_script_10001","type":"script","value":"chain_level='p2';\nchain_pproc_name=p2_pproc_name;\nchain_pcmd=p2_pcmd;\nchain_ppexe=p2_ppexe;\nchain_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10008_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\ [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_rule_10001&&&&{"expressionStr":"p3_pproc_name,<>,''","scriptNames":"[]","expressionName":"10626","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_rule_10001","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&10626&&&&{"aesFlag":1,"varName":"p3_pproc_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_script_10001","type":"script","value":"chain_level='p3';\nchain_pproc_name=p3_pproc_name;\nchain_pcmd=p3_pcmd;\nchain_ppexe=p3_ppexe;\nchain_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_union_10009_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_ppid,p2_pexe,pid,ppexe,uuid,p3_pid,pexe,a [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10022","type":"script","value":"retainField(chain_ppid,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe,p3_cmd,p3_ppid,p3_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10023","type":"script","value":"___REGEXP_EXTRACT_10003=REGEXP_EXTRACT(cmd,'([a-zA-Z0-9\\/+=]{80,})',1);\ncmd_b64_raw=___REGEXP_EXTRACT_10003;rm('___REGEXP_EXTRACT_10003');\n___low [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10024","type":"script","value":"retainField(clean_proc,log_uuid,clean_pexe,clean_chain_pproc,clean_chain_pcmd,cmd_b64_raw,clean_pproc,clean_cmd,clean_chain_ppexe,p2_pid,p2_ppid,p2_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10025","type":"script","value":"___null_10040=null(cmd_b64_raw);\nif(___null_10040){___if_proc_log_union_10001=''}else{___if_proc_log_union_10001=cmd_b64_raw};\n___B64_AUTO_10002=B [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10026","type":"script","value":"retainField(b64_decode_raw,clean_cmd_no_quote,p2_pid,p2_ppid,p2_pexe,clean_cmd,pid,p3_ppexe,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_c [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10027","type":"script","value":"___lower_b64_decode_raw_10001=lower(b64_decode_raw);\nb64_decode=___lower_b64_decode_raw_10001;rm('___lower_b64_decode_raw_10001');\n___!null_10014= [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10028","type":"script","value":"retainField(b64_decode,p2_pid,p2_ppid,p2_pexe,clean_cmd,pid,p3_ppexe,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,p3_pid,pexe,c [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10029","type":"script","value":"___compare_10016=equals(b64_decode,'');\n___concat_10007=concat(clean_cmd,' / ',b64_decode);\nif(___compare_10016){___if_proc_log_union_10003=clean_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10030","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,clean_cmd,pid,p3_ppexe,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,p3_pid,pexe,cmd_b64_raw, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10031","type":"script","value":"_sep1='\\|';\nblack_feature_number='234';\ntmp_1='1';\ntmp_2='2';\ntmp_3='3';\ntmp_4='4';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10032","type":"script","value":"retainField(_sep1,black_feature_number,tmp_4,p2_pid,p2_ppid,p2_pexe,pid,uuid,chain_pcmd,p3_pid,pexe,clean_chain_ppexe,p2_proc_name,b64_decode_raw,p2 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10033","type":"script","value":"___regexp_10003=regex(clean_cmd_no_quote,'net1?(\\.exe)?\\s+localgroup\\s+administrators.*/add?\\b');\n___regexp_10004=regex(clean_cmd_no_quote,'net [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10034","type":"script","value":"retainField(sas_module_rule_result_s,_sep1,p2_pid,p2_ppid,p2_pexe,pid,uuid,chain_pcmd,p3_pid,pexe,tmp_4,clean_chain_ppexe,p2_proc_name,tmp_1,tmp_3,t [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10035","type":"script","value":"___regexp_10035=regex(sas_module_rule_result_s,'^[\\|\\s]*$');\nif(___regexp_10035){___if_new_v3_10001=false}else{___if_new_v3_10001=true};\nhit_mod [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10036","type":"script","value":"retainField(_sep1,p2_pid,p2_ppid,p2_pexe,pid,uuid,chain_pcmd,p3_pid,pexe,tmp_4,clean_chain_ppexe,p2_proc_name,tmp_1,tmp_3,tmp_2,b64_decode_raw,p2_pp [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10037","type":"script","value":"___STRING_SPLIT_10001=STRING_SPLIT(sas_module_rule_result_s,_sep1);T.v=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10038","type":"script","value":"___trim_10003=trim(T.v);\nfinal_result=___trim_10003;rm('___trim_10003');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10039","type":"script","value":"retainField(final_result,_sep1,p2_pid,p2_ppid,p2_pexe,pid,uuid,chain_pcmd,p3_pid,pexe,tmp_4,clean_chain_ppexe,p2_proc_name,tmp_1,tmp_3,tmp_2,b64_dec [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10040&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10040","type":"script","value":"___!null_10015=!null(final_result);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10006&&&&{"expressionStr":"___!null_10015&(final_result,regex,'\\S+')","scriptNames":"[]","expressionName":"10628","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10006","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","ac [...]
-dipper.private.blink.rules&&&&express&&&&10628&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10015\",\"10627\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10627&&&&{"aesFlag":1,"varName":"final_result","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BhPVyKanBl/NbolFClSKRQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10041&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10041","type":"script","value":"retainField(_sep1,p2_pid,p2_ppid,p2_pexe,pid,uuid,chain_pcmd,p3_pid,pexe,tmp_4,clean_chain_ppexe,p2_proc_name,tmp_1,tmp_3,tmp_2,b64_decode_raw,p2_pp [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10042&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10042","type":"script","value":"___cast_10222=cast(logtime,'string');\nlogtime=___cast_10222;rm('___cast_10222');\n___cast_10223=cast(uuid,'string');\nuuid=___cast_10223;rm('___cas [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10043&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10043","type":"script","value":"retainField(clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppexe,b64_deco [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10044&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10044","type":"script","value":"___regexp_10036=regex(final_result,'^\\d+$');\nif(___regexp_10036){___if_to_online_10001=true}else{___if_to_online_10001=false};\nfrom_black_rule=__ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10045&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10045","type":"script","value":"retainField(clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppexe,b64_deco [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10046&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10046","type":"script","value":"___in_10009=contain(final_result,'839','840','904')\n;___cast_10255=cast('停用安全软件服务','string');\n___in_10010=contain(final_result,'900','901')\n;___c [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10047&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10047","type":"script","value":"retainField(event_name,clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppe [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10007&&&&{"expressionStr":"event_name,<>,''","scriptNames":"[]","expressionName":"10629","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10007","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10629&&&&{"aesFlag":1,"varName":"event_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10048&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10048","type":"script","value":"___in_10022=contain(event_name,'可疑的进程路径','可疑的进程文件名')\n;___REGEXP_REPLACE_10018=REGEXP_REPLACE(clean_cmd,'([^/\\s:\\\\\\-]+)','A');\n___concat_10008= [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10049&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10049","type":"script","value":"retainField(clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppexe,b64_deco [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10050&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10050","type":"script","value":"___md5_10005=md5(abk_raw);\nabk=___md5_10005;rm('___md5_10005');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10051&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10051","type":"script","value":"retainField(clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppexe,abk_raw, [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_window_10001&&&&{"groupByFieldName":"uuid;event_name;abk;___cast_10276","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60","groupMap":"[]","slideInterval":" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10052&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10052","type":"script","value":"___unixtime_10007=unixtime(logtime);\n___multiplication_10007=multiplication(30,1);\n___division_10006=division(___unixtime_10007,___multiplication_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10053&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10053","type":"script","value":"retainField(r_dasud891ud912,clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chai [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10008&&&&{"expressionStr":"r_dasud891ud912,==,double,1","scriptNames":"[]","expressionName":"10630","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_rule_10008","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]" [...]
-dipper.private.blink.rules&&&&express&&&&10630&&&&{"varName":"r_dasud891ud912","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10054&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10054","type":"script","value":"retainField(clean_cmd,final_result,pid,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,pexe,cmd_b64_raw,clean_chain_ppexe,abk_raw, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10055&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10055","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nlevel='high';\n___cast_10277=cast(logtime,'string');\n___cast_10278=cast(uuid,'string');\n___cast_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10056&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_script_10056","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_v2_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"tru [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;blackrule_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.sas.zing.blink.udf.BlackRule","initMethodName":"open","functionName":"blackrule","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;blackrule_10001","type":"script","version":"1.0" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;BlackSeq_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.aliyun.sec.lyra.hsh.udf.ext.BlackSeq","initMethodName":"open","functionName":"BlackSeq","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;BlackSeq_10001","type":"script","version": [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;json_concat_10006&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq;json_concat_10006","typ [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFet [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10001","type":"script","value":"___lower_cmdline_10005=lower(cmdline);\nstd_cmdline=___lower_cmdline_10005;rm('___lower_cmdline_10005');\n","version":"1.0","exten [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10002","type":"script","value":"retainField(std_cmdline,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snode [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10001&&&&{"expressionStr":"(((std_cmdline,regex,'((\\W+cron)|(^|\\W+)(scp|ssh|crontab|wget|curl|base64|ifconfig|whoami|traceroute|touch|last|history|uname|arp|netstat|useradd|adduser|nslookup|ping|chmod)(\\W+|$)|/rc\\.d|authorized_keys|/etc/passwd|ld\\.so\\.preload|spool/cron|bash_history)')|(file_name,in,'\\'wget\\',\\'ifconfig\\',\\'whoami\\',\\'id\\',\\'curl\\',\\'base64\\',\\' [...]
-dipper.private.blink.rules&&&&express&&&&10635&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10631\",\"10632\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10634&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"twnNM4S7+LShivhp2iyZVb4Xm4ErQA0BvqUDN741JdA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10637&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10636\",\"10634\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10636&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10635\",\"10633\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10631&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CwLJQmDR+14h1C68i/ZdDKjlUoeRATpmIGhjlfwX/gvorTB3SGEMkuWKqRHucHZ4g6mLjxqfHKJkH16NBvcUIW9YMuV9x8l1TkETAnaqguwnFY/YJzB3nPQbuRs62XKadorJP+GrKNgFzTw4UesTatNHMHOYprQDT9nWMuUOGSHguXGtZdFFbmCQT9smj8IKCu5Lga17fb93nxud8UPm+SsYrtgGPjx/MQ [...]
-dipper.private.blink.rules&&&&express&&&&10633&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wuFzc6RuWAdEfPGMyg1TecBnjYtObODlDycixQ7BhZ2+HRmKZZL+SHqnSqZm3R78udkxlc7BUuH7BjmlFauMMiZ3RAuZ0Fhni4mz4y3caG8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10632&&&&{"aesFlag":1,"varName":"file_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"I6Xra4uKOQ4clEQ9mBojYkMaUdfAOQ2dXE7d81U0x9csfvPcc+8lxKZRKrbebd5/JDwUfA8t8ih5S30Yht6bgDIBWdhDUO6wP2N9wP9MQUqZQzEPE6nK6kQ04Z8sBwgl22VW2p6Hyb9cLNWFF3LxQiaUsbXRDNi4fr5RngBrBigzMjSfEvKYay3j7m9XZbdJlMiNRUHyksM4G1utPL73Z+z1YPWkI08BGbnvMv0 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10003","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdline [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10004","type":"script","value":"___unixtime_10008=unixtime(scan_time);\n___division_10007=division(___unixtime_10008,3600);\n___cast_10301=cast(___division_10007, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10005","type":"script","value":"retainField(key_time,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodenam [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10006","type":"script","value":"___lower_parent_file_name_10001=lower(parent_file_name);\n___lower_parent_cmd_line_10001=lower(parent_cmd_line);\n__compare_value_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10002&&&&{"expressionStr":"(((((___lower_parent_file_name_10001,in,'\\'java\\',\\'java (deleted)\\'')|(___lower_parent_cmd_line_10001,regex,'yarn.*?container'))&(((std_cmdline,regex,'((\\W+cron)|(^|\\W+)(scp|ssh|crontab|wget|curl|base64|ifconfig|whoami|traceroute|touch|last|history|uname|arp|netstat|useradd|adduser|nslookup|ping|chmod)(\\W+|$)|/rc\\.d|authorized_keys|/etc/passwd|l [...]
-dipper.private.blink.rules&&&&express&&&&10646&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10645\",\"10642\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10645&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10640\",\"10641\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10648&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10647\",\"__compare_value_10001\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10647&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10644\",\"10646\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10639&&&&{"aesFlag":1,"varName":"___lower_parent_cmd_line_10001","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UqIEA0mgyxPygn9s2M18j6t59zr/GOjLa11h/KtCj5o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10638&&&&{"aesFlag":1,"varName":"___lower_parent_file_name_10001","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"7e6pM0MkqkUDyoj+uVhgz90PnvyOrw+8nHng6QFp4uo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10649&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10648\",\"__compare_value_10002\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10640&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CwLJQmDR+14h1C68i/ZdDKjlUoeRATpmIGhjlfwX/gvorTB3SGEMkuWKqRHucHZ4g6mLjxqfHKJkH16NBvcUIW9YMuV9x8l1TkETAnaqguwnFY/YJzB3nPQbuRs62XKadorJP+GrKNgFzTw4UesTatNHMHOYprQDT9nWMuUOGSHguXGtZdFFbmCQT9smj8IKCu5Lga17fb93nxud8UPm+SsYrtgGPjx/MQ [...]
-dipper.private.blink.rules&&&&express&&&&10650&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10649\",\"10643\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10642&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"33qbaF1903y7GqiYsI/zCVAb97id/0iB0ALzWF3wGcllWrbNm/9Hk7hK3IcH4cI/LGcxyRAvNy4AYAzkn7j1rg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10641&&&&{"aesFlag":1,"varName":"file_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"I6Xra4uKOQ4clEQ9mBojYkMaUdfAOQ2dXE7d81U0x9csfvPcc+8lxKZRKrbebd5/JDwUfA8t8ih5S30Yht6bgDIBWdhDUO6wP2N9wP9MQUqZQzEPE6nK6kQ04Z8sBwgl22VW2p6Hyb9cLNWFF3LxQiaUsbXRDNi4fr5RngBrBigzMjSfEvKYay3j7m9XZbdJlMiNRUHyksM4G1utPL73Z+z1YPWkI08BGbnvMv0 [...]
-dipper.private.blink.rules&&&&express&&&&10644&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10638\",\"10639\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10643&&&&{"varName":"___len_10003","functionName":"<","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"600.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10007","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdline [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10008","type":"script","value":"___BLACKRULE_10001=BLACKRULE(file_name,cmdline);T.hit_result=udtf.0;T.score=udtf.1;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10009","type":"script","value":"score=T.score;\nhit_result=T.hit_result;\nretainField(score,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,fi [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10010","type":"script","value":"___!null_10016=!null(hit_result);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10003&&&&{"expressionStr":"___!null_10016&(hit_result,<>,'')","scriptNames":"[]","expressionName":"10652","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField" [...]
-dipper.private.blink.rules&&&&express&&&&10651&&&&{"aesFlag":1,"varName":"hit_result","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10652&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10016\",\"10651\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_window_10001&&&&{"groupByFieldName":"host_uuid;ppid;parent_cmd_line;key_time;hit_result","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10011","type":"script","value":"___concat_10009=concat(scan_time,' ',pid,' ',cmdline);\ninfo=___concat_10009;rm('___concat_10009');\nrnk=over_parition_10002 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10012","type":"script","value":"retainField(uid_name,score,key_time,hit_result,parent_file_path,pid_start_time,parent_cmd_line,scan_time,host_uuid,rnk,ppid,info); [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10004&&&&{"expressionStr":"rnk,==,double,1","scriptNames":"[]","expressionName":"10653","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames [...]
-dipper.private.blink.rules&&&&express&&&&10653&&&&{"varName":"rnk","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_window_10002&&&&{"groupByFieldName":"host_uuid;ppid;parent_cmd_line;parent_file_path;pid_start_time;uid_name;key_time","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_window_10002","type":"window","version":"1.0","windowType":"hop","fire [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10013","type":"script","value":"retainField(uid_name,score,key_time,min_scan_time,hit_result,cmd_seq_detail_markdown,max_scan_time,parent_file_path,pid_start_time [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10014","type":"script","value":"___BLACKSEQ_10001=BLACKSEQ(hit_result);T.seq_hit_result=udtf.0;T.seq_score=udtf.1;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10015","type":"script","value":"scan_time=max_scan_time;\n___unixtime_10009=unixtime(max_scan_time);\n___unixtime_10010=unixtime(min_scan_time);\n___subtraction_1 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10016","type":"script","value":"seq_hit_result=T.seq_hit_result;\nseq_score=T.seq_score;\nretainField(seq_hit_result,seq_score,min_scan_time,hit_result,host_uuid, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10017","type":"script","value":"___in_10023=contain(hit_result,'scp,curl,ls','ifconfig,uname,netstat','scp,ls,curl','curl,scp,ls','ls,scp,curl')\n;___regexp_10042 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10018","type":"script","value":"retainField(seq_hit_result,hit_result,seq_score,host_uuid,ppid,uid_name,score,key_time,cmd_seq_detail_markdown,is_white,parent_fil [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_rule_10005&&&&{"expressionStr":"((is_white,==,double,0)&(sub_time_delta,>,double,3))&((hit_result,regex,'cron|wget|curl|base64|whoami|traceroute|touch|history|rc\\.d|authorized_keys|etc/passwd|ld\\.so\\.preload|bash_history|useradd|adduser')|(cmd_seq_detail_markdown,regex,'/(shm)(\\W+|$)'))","scriptNames":"[]","expressionName":"10660","varNames":"[]","className":"com.aliyun.filter.proc [...]
-dipper.private.blink.rules&&&&express&&&&10657&&&&{"aesFlag":1,"varName":"cmd_seq_detail_markdown","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Syjnt42fKMvfydGz7NTIvw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10656&&&&{"aesFlag":1,"varName":"hit_result","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pH31XIVO87qbawKIzRRpXMtkiIokcOvKNv920+XUbGt8LyMFikVQeSrXyCUYj8Xr94ZujOwbZQcZ3j1DBIooCI3o/dVpIzRR/Q1sF6mXm1vomYWfAwN+PlaXuZBY/OQOkLNyw1VR5od9JkweYCSsDZrxg2j1Hf9qDWrrSlBvfjpMN7LQTXq+9uIed6EKQwAC"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10659&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10656\",\"10657\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10658&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10654\",\"10655\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10660&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10658\",\"10659\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10655&&&&{"varName":"sub_time_delta","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10654&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10019","type":"script","value":"___REGEXP_REPLACE_10019=REGEXP_REPLACE(parent_cmd_line,'([^\\\\\\:\\>\\-\\&\\@\\=\\%\\s~~~~~\\/\\.\\(\\)\\[\\]]{1})','A');\n___con [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10020","type":"script","value":"retainField(hit_result,host_uuid,ppid,uid_name,score,key_time,cmd_seq_detail_markdown,is_white,parent_file_path,pid_start_time,par [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10021","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='linux可疑命令序列';\nlevel='high';\n___cast_10302=cast(sc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10022","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_script_10023","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_java_cmd_seq_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","co [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_windows_proc_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_windows_proc_alert_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert;json_concat_10007&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert;json_concat_10007","type":"script","version":"1.0","closeMethodName": [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_windows_proc_alert&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc_windows_proc_alert","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_PROC","syncTimeout":"5000","groupName":"blink.source.aegis.proc_windows_proc_alert","pullIntervalMs":"100","isBatc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10001","type":"script","value":"___!_10010=!((euid_name,==,'root'));\n___!_10011=!((gid_name,==,'root'));\n___!_10012=!((cwd,like,'/%'));\n___!_10013=!((file_path,like,'/%'));\n___lower_cmdline_10006=lower(cm [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_windows_proc_alert_rule_10001&&&&{"expressionStr":"(((___!_10010&___!_10011)&___!_10012)&___!_10013)&(((((((((((((((((((((((((((((((cmdline,==,'C:\\Windows\\sysnative\\rundll32.exe')|(___lower_cmdline_10006,like,'%remove-etwtraceprovider%'))|(___lower_cmdline_10007,like,'%set-etwtraceprovide%'))|(___lower_cmdline_10008,like,'downloadfile'))|(___lower_cmdline_10009,like,'%python%'))|(___lower_cmdline_10010,like,'%-server%'))|(_ [...]
-dipper.private.blink.rules&&&&express&&&&10691&&&&{"aesFlag":1,"varName":"___lower_cmdline_10035","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1DXNO09V22zYtPqZn1bbiaCW339/r91kikbTs8L1pg0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10690&&&&{"aesFlag":1,"varName":"___lower_cmdline_10034","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HcB8+G3bhDFwwGOEQCQ/iA5ugVmH16U4xqPOFtbd7EA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10693&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10692\",\"___!_10012\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10692&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10010\",\"___!_10011\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10695&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10661\",\"10662\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10694&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10693\",\"___!_10013\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10697&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10696\",\"10664\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10696&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10695\",\"10663\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10699&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10698\",\"10666\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10698&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10697\",\"10665\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10668&&&&{"aesFlag":1,"varName":"___lower_cmdline_10012","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nlLh9YdsiV2yjTK21R8oOMcLWrcKR7KDYi4tkGtBwgk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10701&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10700\",\"10668\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10667&&&&{"aesFlag":1,"varName":"___lower_cmdline_10011","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"c+6mVJmqxvnL5T2vgZIAgMgnIPLs7yS9AKhnOaKvYsU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10700&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10699\",\"10667\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10703&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10702\",\"10670\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10669&&&&{"aesFlag":1,"varName":"___lower_cmdline_10013","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bts3C7Iv0knNtua4HgMBcA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10702&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10701\",\"10669\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10705&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10704\",\"10672\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10704&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10703\",\"10671\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10707&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10706\",\"10674\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10706&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10705\",\"10673\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10662&&&&{"aesFlag":1,"varName":"___lower_cmdline_10006","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UJuXH91K5ufQdMSBw/9dO3oJ7mBcuOLj+G679L4ZgAg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10661&&&&{"aesFlag":1,"varName":"cmdline","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GiuFTdqkKrVRCETpgMXTSEhSw/bXgUe62P9eR7Tuf/14TDWHZ+KpkarcJYIAWS20"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10664&&&&{"aesFlag":1,"varName":"___lower_cmdline_10008","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MHw1NnOw0fBv/9wOUu/TYw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10663&&&&{"aesFlag":1,"varName":"___lower_cmdline_10007","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5Y3vR5kCpCB0CRfg5I05KVWwO4xV12x7LFX1auE1fco="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10666&&&&{"aesFlag":1,"varName":"___lower_cmdline_10010","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0wspT/mcGZ1o5eFV6M5utQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10665&&&&{"aesFlag":1,"varName":"___lower_cmdline_10009","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FxMXP+57FWiYqHaAJrBpHA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10709&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10708\",\"10676\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10708&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10707\",\"10675\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10679&&&&{"aesFlag":1,"varName":"___lower_cmdline_10023","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dSGJNPlFXFT53DW7MD+RnXjRLrLuRQw4c9oWKAiOQNA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10712&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10711\",\"10679\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10678&&&&{"aesFlag":1,"varName":"___lower_cmdline_10022","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lSx6dNF+UJTajp8+qo+4Z3hfKlDRh+NpNOOAmUeUHDI="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10711&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10710\",\"10678\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10714&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10713\",\"10681\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10713&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10712\",\"10680\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10716&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10715\",\"10683\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10715&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10714\",\"10682\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10718&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10717\",\"10685\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10717&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10716\",\"10684\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10671&&&&{"aesFlag":1,"varName":"___lower_cmdline_10015","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9l1k2cuAJNWa587hRslM0w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10670&&&&{"aesFlag":1,"varName":"___lower_cmdline_10014","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mDV/avDfTki1AHskqwom4yKcLtJR6sshCj9PlyQ1VXM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10673&&&&{"aesFlag":1,"varName":"___lower_cmdline_10017","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"511mpeNKv1n6cNnHXHq9YQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10672&&&&{"aesFlag":1,"varName":"___lower_cmdline_10016","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"O+q1fjwuh2/ArsMWF7bUJkXPjAtBuvER9GC7ERKdSrY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10675&&&&{"aesFlag":1,"varName":"___lower_cmdline_10019","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QJnS8KMYMO2TuFV8fF6hEA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10674&&&&{"aesFlag":1,"varName":"___lower_cmdline_10018","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TtxFg2EFWi0FFLwAVRJ8+Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10677&&&&{"aesFlag":1,"varName":"___lower_cmdline_10021","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iPdmBDpUrSMrJiq+OR4/puSrW0Tq5Pqa+VHC/wFPLJ8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10710&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10709\",\"10677\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10676&&&&{"aesFlag":1,"varName":"___lower_cmdline_10020","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dK6GdLIx7xnwcqUSBRYc6Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10680&&&&{"aesFlag":1,"varName":"___lower_cmdline_10024","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"eGwOGkBJt9/XpwUo+xiSj+wHE9/u4t4yeQgEuguZNJg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10719&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10718\",\"10686\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10723&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10722\",\"10690\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10689&&&&{"aesFlag":1,"varName":"___lower_cmdline_10033","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4JmhxgOXw39XdlLTx6IoItJOs7TvOGGw1NTS/SECYp4="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10722&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10721\",\"10689\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10725&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10694\",\"10724\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10724&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10723\",\"10691\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10682&&&&{"aesFlag":1,"varName":"___lower_cmdline_10026","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+mmSz9m3qq6YHEPpm0Jw6nAegjoaujGC7wEcUtaFMKA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10681&&&&{"aesFlag":1,"varName":"___lower_cmdline_10025","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"crIVGRIff/X1UwOyvqe3tbFWVfNhMF9xriQDcM2+x8s="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10684&&&&{"aesFlag":1,"varName":"___lower_cmdline_10028","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"P3uaGLf3R9thLbIDVVMSBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10683&&&&{"aesFlag":1,"varName":"___lower_cmdline_10027","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"waeN/HHOGnVV2R9JOkgnZw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10686&&&&{"aesFlag":1,"varName":"___lower_cmdline_10030","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"K0QdvfhOJxt6iOFEpIHhkw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10685&&&&{"aesFlag":1,"varName":"___lower_cmdline_10029","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Xjwz23RLOZZZkOuIjIyKw/mq16npd1kn10XLxnH2Fpg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10688&&&&{"aesFlag":1,"varName":"___lower_cmdline_10032","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3y2jL4IIVqZQo9/OaBbxSMXhLn2TlFXbu7ktXEoN1gc="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10721&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10720\",\"10688\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10687&&&&{"aesFlag":1,"varName":"___lower_cmdline_10031","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NCiSf16sRFDAnXhnd5QoBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10720&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10719\",\"10687\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,pid,k8snodename,cmdline,containermip,euid_name,parent_file_path,buySas,file_uid,containerhostname,dockerimagename,index,file_uid_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10003","type":"script","value":"___compare_10037=equals(cmdline,'C:\\Windows\\sysnative\\rundll32.exe');\n___lower_cmdline_10036=lower(cmdline);\n___lower_cmdline_10037=lower(cmdline);\n___regexp_10043=regex( [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10004","type":"script","value":"retainField(feature,k8spodname,file_path,dockerimageid,pid,k8snodename,cmdline,containermip,euid_name,parent_file_path,buySas,file_uid,containerhostname,dockerimagename,index,f [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10005","type":"script","value":"___!null_10017=!null(feature);\n___lower_cmdline_10072=lower(cmdline);\n___!_10020=!((___lower_cmdline_10072,regex,'\\\\(kingdee|u8soft)\\\\|软件|安装|kingdee\\.erp\\b'));\n___lowe [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_windows_proc_alert_rule_10002&&&&{"expressionStr":"(___!null_10017&___!_10020)&___!_10021","scriptNames":"[]","expressionName":"10727","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10727&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10726\",\"___!_10021\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10726&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10017\",\"___!_10020\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_windows_proc_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_windows_proc_alert_script_10006","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,pid,k8snodename,cmdline,containermip,euid_name,parent_file_path,buySas,file_uid,containerhostname,dockerimagename,index,file_uid_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_rule_10001&&&&{"expressionStr":"feature,in,'\\'win_abnormal_cs_rundll32\\''","scriptNames":"[]","expressionName":"10728","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","ex [...]
-dipper.private.blink.rules&&&&express&&&&10728&&&&{"aesFlag":1,"varName":"feature","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FOflTKdMf+15emnUH/e77Gskgf5mE4YpmyIkXdl3FN4="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10001","type":"script","value":"uuid=host_uuid;\nali_uid=aliUid;\n___cast_10317=cast(null_10005,'string');\nclient_ip=___cast_10317;rm('___cast_10317');\nevent_ty [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10001_script_10003","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_rule_10001&&&&{"expressionStr":"feature,in,'\\'win_easyproxy_command_hw\\''","scriptNames":"[]","expressionName":"10729","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","ex [...]
-dipper.private.blink.rules&&&&express&&&&10729&&&&{"aesFlag":1,"varName":"feature","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PSDdkQol428PFYGh7Dcfm/PbASwQqp3BKR4psJ6rZfw="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_script_10001","type":"script","value":"uuid=host_uuid;\nali_uid=aliUid;\n___cast_10326=cast(null_10006,'string');\nclient_ip=___cast_10326;rm('___cast_10326');\nevent_ty [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10002_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_rule_10001&&&&{"expressionStr":"feature,in,'\\'win_zerologon_cve_exploit\\''","scriptNames":"[]","expressionName":"10730","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","e [...]
-dipper.private.blink.rules&&&&express&&&&10730&&&&{"aesFlag":1,"varName":"feature","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"w9wWWEIjQxvyHyfREtUC1FflMm/xKCEDvO0aMitr0ks="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_script_10001","type":"script","value":"uuid=host_uuid;\nali_uid=aliUid;\n___cast_10335=cast(null_10007,'string');\nclient_ip=___cast_10335;rm('___cast_10335');\nevent_ty [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10003_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_rule_10001&&&&{"expressionStr":"feature,in,'\\'win_payload_exec_mshta\\',\\'win_payload_exec_msiexec\\',\\'win_payload_exec_regsvr32\\',\\'win_defender_downloadfile\\',\\'win_etw_remove_provider\\',\\'win_etw_set_0x11\\',\\'win_payload_exec_msbuild\\',\\'win_payload_exec_compiler\\',\\'win_payload_exec_odbcconf\\',\\'win_payload_exec_odbcconf_1\\',\\'win_exec_payload_zipfldr_dll\\',\\' [...]
-dipper.private.blink.rules&&&&express&&&&10731&&&&{"aesFlag":1,"varName":"feature","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QOMF2vJ0Y7lTl0jvnS+jFy6YC/1IcZNWIRz7BAJsQlF0Um3Lx25s0sg5+ZgyKt+ExllvEbHcp+evw1La9GuhLV2HZqz4OjoE0WPOJ4+HDFxo8uraxQMXA2JTp9bl6ED64M9crMNGx6bf7CU4ltbtePKaChzWo/GpxBseKHMDTDXV/ujaLmvZgBVqpEPUsXZlrhI9uvln1AJFjBhYs/g25CaC1WfAlv1C86j9zdSFZ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_script_10001","type":"script","value":"uuid=host_uuid;\nali_uid=aliUid;\n___cast_10342=cast(null_10008,'string');\nclient_ip=___cast_10342;rm('___cast_10342');\nevent_ty [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10004_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_rule_10001&&&&{"expressionStr":"feature,in,'\\'win_payload_exec_msiexec_1\\',\\'win_payload_exec_installutil\\',\\'win_exec_payload_url_dll\\',\\'win_exec_payload_fsi\\',\\'win_exec_payload_msxsl\\',\\'win_exec_payload_slmgr_vbs\\''","scriptNames":"[]","expressionName":"10732","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.b [...]
-dipper.private.blink.rules&&&&express&&&&10732&&&&{"aesFlag":1,"varName":"feature","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QOMF2vJ0Y7lTl0jvnS+jF7Kfoo4R5snvDayimjOhNU2hjulq20vnUX5/6wjAS54pe2FMLTgo8ZMTMutdahW0sxrBfa/ykiTZ/YJPSAAR0CgQpmUGXkmJxyfHNhk7BiBJq43uQWH3g8VwmyQcP8YMzygYJIdTwDAtd2PRwiKcUN7+09rJZYiiNbGB7KCdHr9rkHhm+iNRKoxMDPaKzVatbNyFyA+Ps9ot8RwR5CBCy [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_script_10001","type":"script","value":"uuid=host_uuid;\nali_uid=aliUid;\n___cast_10351=cast(null_10009,'string');\nclient_ip=___cast_10351;rm('___cast_10351');\nevent_ty [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_windows_proc_alert_union_10005_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_windows_proc_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_windows_proc_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"1 [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell;b64_auto_10004&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell;b64_auto_10004","type":"script","version":"1. [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell;json_concat_10008&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell;json_concat_10008","type":"sc [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_rever [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10001","type":"script","value":"___lower_cmdline_10074=lower(cmdline);\n___lower_cmdline_10075=lower(cmdline);\n___lower_cmdline_10076=lower(cmdline);\n___lower_cmdline [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_rule_10001&&&&{"expressionStr":"((((((((((((((((___lower_cmdline_10074,like,'%mkfifo%')|(___lower_cmdline_10075,like,'%mknod%'))|(___lower_cmdline_10076,like,'%ruby%'))|(___lower_cmdline_10077,like,'%php%'))|(___lower_cmdline_10078,like,'%python%'))|(___lower_cmdline_10079,like,'%perl%'))|(___lower_cmdline_10080,like,'%lua%'))|(___lower_cmdline_10081,like,'%/dev/tcp%'))|(___lower_cmdline_ [...]
-dipper.private.blink.rules&&&&express&&&&10734&&&&{"aesFlag":1,"varName":"___lower_cmdline_10075","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"76Z3DGJQG4I8UX4yQ0zKMA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10756&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10755\",\"10740\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10733&&&&{"aesFlag":1,"varName":"___lower_cmdline_10074","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xuBsPOhvC+eJ+3psYSQkeQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10755&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10754\",\"10739\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10736&&&&{"aesFlag":1,"varName":"___lower_cmdline_10077","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ceKMAB0lbTSftqkArbAv4A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10758&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10757\",\"10742\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10735&&&&{"aesFlag":1,"varName":"___lower_cmdline_10076","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CCSvCz48rm4jh396b6cayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10757&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10756\",\"10741\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10738&&&&{"aesFlag":1,"varName":"___lower_cmdline_10079","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4D0BUhBf+jwANRCDCn+WAQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10737&&&&{"aesFlag":1,"varName":"___lower_cmdline_10078","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FxMXP+57FWiYqHaAJrBpHA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10759&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10758\",\"10743\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10739&&&&{"aesFlag":1,"varName":"___lower_cmdline_10080","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nAs/fHOR7BFfSJbADmiLBg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10750&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10733\",\"10734\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10752&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10751\",\"10736\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10751&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10750\",\"10735\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10754&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10753\",\"10738\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10753&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10752\",\"10737\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10745&&&&{"aesFlag":1,"varName":"___lower_cmdline_10086","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"DrhqThY1WiHymPq4y4rHDQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10744&&&&{"aesFlag":1,"varName":"___lower_cmdline_10085","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GPf/PJUXzl7O8JEk0vEK4g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10747&&&&{"aesFlag":1,"varName":"___lower_cmdline_10088","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NEZsDO4VmZINRfxAxhdUFw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10746&&&&{"aesFlag":1,"varName":"___lower_cmdline_10087","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wTFYxBwBPt0Xry61A5WAlw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10749&&&&{"aesFlag":1,"varName":"___lower_cmdline_10090","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGjfpDHBSFupZNEu1Ylq6iBg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10748&&&&{"aesFlag":1,"varName":"___lower_cmdline_10089","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+VXudFH5qdlcHBoTnnOF6Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10761&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10760\",\"10745\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10760&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10759\",\"10744\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10741&&&&{"aesFlag":1,"varName":"___lower_cmdline_10082","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fma6b4Spm2KiAVOvs7FGgA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10763&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10762\",\"10747\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10740&&&&{"aesFlag":1,"varName":"___lower_cmdline_10081","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0XtgBTM2g7m5T8Z+yW4W/g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10762&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10761\",\"10746\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10743&&&&{"aesFlag":1,"varName":"___lower_cmdline_10084","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tR2RJ8N0B0TommIJUF6mtQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10765&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10764\",\"10749\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10742&&&&{"aesFlag":1,"varName":"___lower_cmdline_10083","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GazzQ4W76X8ul6UhR3fkiw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10764&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10763\",\"10748\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10002","type":"script","value":"___lower_cmdline_10091=lower(cmdline);\n___REGEXP_REPLACE_10020=REGEXP_REPLACE(___lower_cmdline_10091,'\\s+',' ');\nstd_cmdline=___REGEX [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10003","type":"script","value":"retainField(b64_cmdline,std_cmdline,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10004","type":"script","value":"___compare_10039=equals(b64_cmdline,'');\n___null_10041=null(b64_cmdline);\n___B64_AUTO_10003=B64_AUTO(b64_cmdline);\nif((___compare_100 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10005","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdline,euid_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_rule_10002&&&&{"expressionStr":"(((((((((((((((((((((((((((((((((((((((std_cmdline,regex,'(mkfifo|mknod).*?&&\\s*(nc|telnet).*?<.*?\\|.*?ash')|(std_cmdline,regex,'(mkfifo|mknod)\\s+.*?(nc|telnet)\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+\\d+'))|(std_cmdline,regex,'(mkfifo|mknod).*?&&.*?\\s+(nc|telnet).*?<.*?\\|.*?ash'))|(std_cmdline,regex,'(mkfifo|mknod).*?cat.*?\\|.*?/sh\\s+-i.*?\ [...]
-dipper.private.blink.rules&&&&express&&&&10808&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10807\",\"10769\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10807&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10806\",\"10768\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10809&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10808\",\"10770\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10778&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LBKmL6KqZ002Z8LPX2ZXKgs8LXP3px/nMlaPWul31KlA99EJmuPqx8xN1p/4MU86zmORdaJdZNbGUY9riocOPYSYlAMoc/+JMZTmZc4cIno="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10811&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10810\",\"10772\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10777&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lHpjAZDDnHmcBr6mvOIo5/Ukm8at96usKGZaj9YxaO7p3FOjnlLJ6EGv0wmw/6nSW0YTOBYIrGusJdf4aDa/ATpXsXbzD09fqQI4TNYAG+/yYeZi1Z6S5g4s58YqlGi83kL/hb3rcihxdnBnrj8VWw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10810&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10809\",\"10771\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10813&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10812\",\"10774\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10779&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NV7bVKYDDm8nb2NigCGmN1xpPVFB1oTf5Ys/TyaFOnAHb5lzJgf0g/BRpbvmdToRTTqSRsdL2+lPDkchdB9r/kPBJCB7eXD8HQPnqrewfC0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10812&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10811\",\"10773\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10815&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10814\",\"10776\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10814&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10813\",\"10775\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10817&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10816\",\"10778\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10816&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10815\",\"10777\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10770&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BSkRZytZ0ZpioJ9N79IarCuS0vN5CWanNxAcOH+MV+NL9zjcLpOCrCkedIJ8uvou"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10772&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CrxhPkc0RHm9lXpo7SsrSUn8iaXwMMn3Xkh0YiMRk1GX57WY6Z31M+5zW72Z+XDn"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10771&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BSkRZytZ0ZpioJ9N79IarCuS0vN5CWanNxAcOH+MV+Och4O2jYw4lY6meG12L2QW"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10774&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LBKmL6KqZ002Z8LPX2ZXKn4RNcTFDxJ9ZnjE5wwsbZkQJg03gcZQxN7azcTpUH92Gceyab2d79NWCFDS4Ybd2A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10773&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LBKmL6KqZ002Z8LPX2ZXKgs8LXP3px/nMlaPWul31KlPju2FD1rSzWDM83X8J51bdSKErCi3ziUUk6epR1Oia/Dq68Ed/irl/tSau7jWCPg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10776&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXXNahm3tYU2TR6eNXFlHK8v4p55wK/41TMoXz8QSOep+x5+NkUo7biKiqiMSGjVxlA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10775&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LBKmL6KqZ002Z8LPX2ZXKhduy30Dn26KBpyISm4ovJM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10819&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10818\",\"10780\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10818&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10817\",\"10779\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10789&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wY2TXDp84Np+fxCQw153qSOBRfZ5HzQhU8et9MwgBsM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10822&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10821\",\"10783\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10788&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ECKiR+VSLN0UJKMNnLRBzhCRKUJ1lwglvQPeOT3o6HZ1w1lsZlOOAWGqvcy19vuPUD2qnyEV5dcJYaWPL7dnuw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10821&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10820\",\"10782\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10824&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10823\",\"10785\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10823&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10822\",\"10784\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10826&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10825\",\"10787\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10825&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10824\",\"10786\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10828&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10827\",\"10789\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10827&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10826\",\"10788\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10781&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"08eIrXRH4/zBzclSu/pGXTKNLNe4aDaGLzNp6CZLZHqIScKtHVjW+rNnDlQNM5Ul"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10780&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"q446atAYdfv/juzzkg2av0YC+IdO/V4Q7ZO660c7xMoX4DzsQKcRd1HYZWKBSWI/hu/f5lLfCrhVpG0Hkx7Dfg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10783&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"X7LL46uxt6ySvKv7Mdn0I0Q8YoR2tVNQoK1NrfBE5hQCa3mihhfi4yRujZLJc6TIWqnQ9RA9VYkKXDll+CTTdNd2VZWpFAoEqj0fNfmqHew="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10782&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Mj0zkksT1HdenpDhT9WFOrm0tENxg8Kldpy7gHrJ8qe6wUQs3LP0HTi35tI7/UMHWQGeXe97XMEauxOrwZ2DKInetFnPJdXRApTHPvjiB9UedO6AuYUeC7f9NNfG8VwQ90pH09+qU1yrErVIR9CUoOmCbDPc5YoyoBRziz1Y7B8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10785&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGv1DYfkDqtN7zTZ9BqruY3GKaxnBlsl84RDlXhtxLN/VhPF7pfBk1150eJDAaSvD3EZDddj34f3nf7XJxONVt8o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10784&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NfOPvvUA2C02nnvJmlFVPIb1AQXWnScVSFTS0j3O1NPUlMwe38KWRFHo43FlwB+bI7Ls06CYxVy8xW4FGawtoQfHg7fPcVMJm4aGtUsThf0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10787&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMPfzvz38Yo1A+ktYxd8gOdRbTkQ6daB0x0EWcyD88KknA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10820&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10819\",\"10781\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10786&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGhsz6jEjv19XPg1ML+aMKIi3VPwmHsnAX/AjthoMDVrxmmW3OL4PYANEf/gEOw3q9983zvSxEaeEZnnJHSA0vOr5et9uXOwEWhVBISH7pcah3E3j8pR9+z33jDX5I8XAFw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10790&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EltdZFqbkkAES4K1pPltxkDPXxUciI3AL/903+0qeBtp7p/QOb1x7LSgxP/GQ1GW6tr48aEmZrzeGa+ihc7JuA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10829&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10828\",\"10790\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10833&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10832\",\"10794\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10799&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rbNiWCFJ1VOTUaTYNWWFjOks2W49Kh8DLdIZtQ2EzLkO3m8OuP3OtjgtdOk34JMKOCRHpblLKu0kWKtpbcHWGd6BdDk61fAXwRgrnAd915SLoifdkhuIEXICOM+x2iV3hzg9oPHQPavoAbS8d4dy8lJIXhBrj0Q+OoG+y+s3HLkBoQrLcQA1Hv/NhNWn8Wp7"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10832&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10831\",\"10793\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10835&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10834\",\"10796\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10834&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10833\",\"10795\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10837&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10836\",\"10798\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10836&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10835\",\"10797\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10839&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10838\",\"10800\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10838&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10837\",\"10799\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10792&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WOspaXLAGxMn68UjGzgPMtwakB96I2wWn8tkcxUQ+tg6f1w3UvEhq/9YTeG7aUxpjSRn8vaLVPWw9v4R3pjTNQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10791&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fKKxPOBqvGDBL8gf1En+jXSeH09f2NiEAxOCTMHPPVyyDXOfZVpRhzCifKHBQ/GhlUIK5Tys3qhw+gGDA0mkYYXESYwkz3eqWtkvgNfFRNisXNcGFispFD6fzctEQX4prer11PAbdiGkpKUs7Ppf5Aug1zMNiDHQ5zUyuXArtGk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10794&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HDGdCUToGqETm9cV+Jw1DsDelVY01kGxLRoXbmDebmq0ptZlxf4r1YBlKFA+DgIYCIa6biOy7/UnU5VuvhpfoVaHGznnJEXLCs/fkUI3MN8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10793&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mPvs4d/P/GyxoYG1nO5HKdG8cMpJ6tz8ID7jPha5bnSqCeJrUCkGBjKl18tBIg+QCUV0N4n7ecI6VRZC40pLoQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10796&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5ZNqmWb9CISLIDGXbtTJTy8m42FzmkUCi4gyHgOtkeTKv2s/vYmBcMKOvaE5obvRp3ccPXiszeVJn658WBz0awsM1TMCFl7GUnPi2+gs2eAcKDT4upRc42a3Za4yhGAh"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10795&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXan4nAjLiopKSgP/26U9t4yuK6Bl8q0n/biqPgoe9SohDIqwDc9EOxlTF2d6HT/ydqFlHAq4xThHqrmrmzQuNME="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10798&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMOqMmQwUl25j4sV82bdZQzF/V0UaVObgu2k9W0KBlU62DcNpYQX+HXJ/NOfAiltx3uJUafisLp3TjbNz8RW2t31PrxOin2ExPZ/iFDtjtJ7KhEc+xSD3WstU/hAkG7NUVFai5glBbssLSfmpGv3kpK92izpiyUS+lwlnhImJlzGGA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10831&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10830\",\"10792\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10797&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMNMisrib+zJeoIn9G5WoIasLow+VyKYs3BOJvFkqaP26LIsE+5OHgL2M2NQOIpDEs4LZ2WgKDZR/FQSNb2IcClCRtp7cXJook9ARB5Oa15rJ+IgQOtzOJCpZmQ/Rsox/0bPMQtaY6NZwFe073gtexrpwpLmeNy+zV/4cjaI1OgX2A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10830&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10829\",\"10791\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10767&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0yWv4wJ+Lh91yiZrWoWwA0QiYld/6Ag9ohQZOM8G0t+P6eS4ias9aG9XikdKtcAEOkSjBa5XjgVVzcEIy2GZZYXIX+Z5+7mUXqjc86ueoec="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10800&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0IGi0JB4pKA1Wt/wiGkw5MzLsWGbN1r3tBDGoqrEzx8QSLV+qaUX8OUFTyjlPN+c8BUDJ3iKalLC0XMulL+y1g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10844&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10843\",\"10805\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10766&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCN3h9r9DoiD1IbnovraXqlwyRhSP5ggEQfYnFfl56+p2smz0AS1sJ88HqT9U6zr2aA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10843&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10842\",\"10804\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10769&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCCff+VqjUQK1P+2rBOqpjPlMSmR7R6NZMGtHOYlOv6U7ndgdp46lb0IXh8tZc3TW2g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10802&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hxdJkcCWlOLR0Z08v9P8nBuhHVB3C0BGnBHaWtJlSoBwAGmOVvMzJCR/hBaDbCnB27OvIRbjU3+4qErWPKZ9Xw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10768&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCJzvufibcOPV/BweRqu9NE1TTKOMTfxX/7meQm0mhGkzPsZpA01E7TD/sOUgpuVPHw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10801&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BauhN0Vt5lLlzj2I0vWRTySU6uqEoeYBkilbTqDIl3nH9IlsrUVDmu4oFMQcrwtt"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10804&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"o3EBIPr0c0ZcyGjjhLGtU5S156e8TkmQE/omx4zSWpxN0jUy3o/vPrIz91zv/pZhLJPRxNK0HZPVzjbnMZmnPA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10803&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xex36LJ6hs3NrKtc0smZnWbxKiHzkiCmnj1Lo3E4heuCCew6PLmc/yoE92e5dJzXMlJUjVZMn9/07Qt4Zz3t5w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10806&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10766\",\"10767\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10805&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Vs2VKxNtKiA0PJ0bP4XcHxxELX2RNqfaCC0F087m48+6IRw2wSZX0qa3CawbGZEvXc+rXK7S2iURJDOlHDRagA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10840&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10839\",\"10801\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10842&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10841\",\"10803\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10841&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10840\",\"10802\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10006","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdline,euid_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10007","type":"script","value":"___regexp_10057=regex(std_cmdline,'(mkfifo|mknod).*?&&\\s*(nc|telnet).*?<.*?\\|.*?ash');\n___regexp_10058=regex(std_cmdline,'(mkfifo|mkn [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10008","type":"script","value":"retainField(hit_result,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10009","type":"script","value":"___in_10024=contain(hit_result,'rs_12','rs_32','rs_33')\n;___lower_b64_cmdline_10001=lower(b64_cmdline);\n___regexp_10101=regex(___lower [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10010","type":"script","value":"retainField(is_white,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdl [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_rule_10003&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"10845","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames" [...]
-dipper.private.blink.rules&&&&express&&&&10845&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10011","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='反弹shell命令';\nlevel='high';\n___cast_10360=cast(scan_time, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10012","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_script_10013","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]" [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_reverse_shell_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeI [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;blackrule_10002&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.sas.zing.blink.udf.BlackRule","initMethodName":"open","functionName":"blackrule","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;blackrule_10002","type":"script","version":"1. [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;BlackSeq_10002&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.aliyun.sec.lyra.hsh.udf.ext.BlackSeq","initMethodName":"open","functionName":"BlackSeq","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;BlackSeq_10002","type":"script","version [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;json_concat_10009&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq;json_concat_10009","t [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxF [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10001","type":"script","value":"___lower_cmdline_10092=lower(cmdline);\n___REGEXP_REPLACE_10022=REGEXP_REPLACE(___lower_cmdline_10092,'\\s+',' ');\n___!null_100 [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10001&&&&{"expressionStr":"(___REGEXP_REPLACE_10022,regex,'^(((/?([a-zA-Z0-9_\\.\\-]+/){1,20})bin/)|/bin/|/|-)?(bash|sh|dash|ash|tcsh|csh|ksh|zsh)(\\s+-{1,2}[a-z0-9\\-]{1,20}){0,5}$')|((((((((cmdline,regex,'((\\W+cron)|(^|\\W+)(scp|ssh|crontab|wget|curl|base64|ifconfig|whoami|traceroute|touch|last|history|uname|arp|netstat|useradd|adduser|nslookup|ping|chmod)(\\W+|$)|/rc\\.d|auth [...]
-dipper.private.blink.rules&&&&express&&&&10855&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10854\",\"___!null_10018\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10854&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10853\",\"10850\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10846&&&&{"aesFlag":1,"varName":"___REGEXP_REPLACE_10022","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VdK7uu993qm1aedLTtbg2Yklh5ogU1JJ5eSOwZIQRjAEtV80MPXXh06kZgtoPkjTg5e8d6OAQg+aXWquDpF0AqofIJYMSV3i99rSh+VpdkFQ="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10857&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10856\",\"___!null_10020\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10856&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10855\",\"___!null_10019\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10848&&&&{"aesFlag":1,"varName":"file_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"I6Xra4uKOQ4clEQ9mBojYkMaUdfAOQ2dXE7d81U0x9csfvPcc+8lxKZRKrbebd5/JDwUfA8t8ih5S30Yht6bgDIBWdhDUO6wP2N9wP9MQUqZQzEPE6nK6kQ04Z8sBwgl22VW2p6Hyb9cLNWFF3LxQiaUsbXRDNi4fr5RngBrBigzMjSfEvKYay3j7m9XZbdJlMiNRUHyksM4G1utPL73Z+z1YPWkI08BGbnvMv0 [...]
-dipper.private.blink.rules&&&&express&&&&10859&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10846\",\"10858\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10847&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CwLJQmDR+14h1C68i/ZdDKjlUoeRATpmIGhjlfwX/gvorTB3SGEMkuWKqRHucHZ4g6mLjxqfHKJkH16NBvcUIW9YMuV9x8l1TkETAnaqguwnFY/YJzB3nPQbuRs62XKadorJP+GrKNgFzTw4UesTatNHMHOYprQDT9nWMuUOGSHguXGtZdFFbmCQT9smj8IKCu5Lga17fb93nxud8UPm+SsYrtgGPjx/MQfGqk [...]
-dipper.private.blink.rules&&&&express&&&&10858&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10857\",\"10851\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10849&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wuFzc6RuWAdEfPGMyg1TecBnjYtObODlDycixQ7BhZ2+HRmKZZL+SHqnSqZm3R78udkxlc7BUuH7BjmlFauMMiZ3RAuZ0Fhni4mz4y3caG8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10851&&&&{"aesFlag":1,"varName":"___REGEXP_REPLACE_10023","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VdK7uu993qm1aedLTtbg2Yklh5ogU1JJ5eSOwZIQRjAEtV80MPXXh06kZgtoPkjTg5e8d6OAQg+aXWquDpF0AqofIJYMSV3i99rSh+VpdkFQ="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10850&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"twnNM4S7+LShivhp2iyZVb4Xm4ErQA0BvqUDN741JdA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10853&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10852\",\"10849\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10852&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10847\",\"10848\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdli [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10003","type":"script","value":"___lower_cmdline_10093=lower(cmdline);\n___REGEXP_REPLACE_10024=REGEXP_REPLACE(___lower_cmdline_10093,'\\s+',' ');\n","version": [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10002&&&&{"expressionStr":"___REGEXP_REPLACE_10024,regex,'^(((/?([a-zA-Z0-9_\\.\\-]+/){1,20})bin/)|/bin/|/|-)?(bash|sh|dash|ash|tcsh|csh|ksh|zsh)(\\s+-{1,2}[a-z0-9\\-]{1,20}){0,5}$'","scriptNames":"[]","expressionName":"10860","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aeg [...]
-dipper.private.blink.rules&&&&express&&&&10860&&&&{"aesFlag":1,"varName":"___REGEXP_REPLACE_10024","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VdK7uu993qm1aedLTtbg2Yklh5ogU1JJ5eSOwZIQRjAEtV80MPXXh06kZgtoPkjTg5e8d6OAQg+aXWquDpF0AqofIJYMSV3i99rSh+VpdkFQ="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10004","type":"script","value":"___unixtime_10011=unixtime(scan_time);\n___division_10008=division(___unixtime_10011,3600);\n___cast_10404=cast(___division_1000 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10005","type":"script","value":"retainField(key_time,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snoden [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10006","type":"script","value":"___!null_10021=!null(host_uuid);\n___!null_10022=!null(pid);\n___!null_10023=!null(parent_cmd_line);\n___lower_parent_cmd_line_1 [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10003&&&&{"expressionStr":"(((((((cmdline,regex,'((\\W+cron)|(^|\\W+)(scp|ssh|crontab|wget|curl|base64|ifconfig|whoami|traceroute|touch|last|history|uname|arp|netstat|useradd|adduser|nslookup|ping|chmod)(\\W+|$)|/rc\\.d|authorized_keys|/etc/passwd|ld\\.so\\.preload|spool/cron|bash_history)')|(file_name,in,'\\'wget\\',\\'ifconfig\\',\\'whoami\\',\\'id\\',\\'curl\\',\\'base64\\',\\ [...]
-dipper.private.blink.rules&&&&express&&&&10866&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10861\",\"10862\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10865&&&&{"aesFlag":1,"varName":"___REGEXP_REPLACE_10025","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VdK7uu993qm1aedLTtbg2Yklh5ogU1JJ5eSOwZIQRjAEtV80MPXXh06kZgtoPkjTg5e8d6OAQg+aXWquDpF0AqofIJYMSV3i99rSh+VpdkFQ="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10868&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10867\",\"10864\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10867&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10866\",\"10863\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10869&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10868\",\"___!null_10021\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10871&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10870\",\"___!null_10023\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10870&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10869\",\"___!null_10022\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10862&&&&{"aesFlag":1,"varName":"file_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"I6Xra4uKOQ4clEQ9mBojYkMaUdfAOQ2dXE7d81U0x9csfvPcc+8lxKZRKrbebd5/JDwUfA8t8ih5S30Yht6bgDIBWdhDUO6wP2N9wP9MQUqZQzEPE6nK6kQ04Z8sBwgl22VW2p6Hyb9cLNWFF3LxQiaUsbXRDNi4fr5RngBrBigzMjSfEvKYay3j7m9XZbdJlMiNRUHyksM4G1utPL73Z+z1YPWkI08BGbnvMv0 [...]
-dipper.private.blink.rules&&&&express&&&&10861&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CwLJQmDR+14h1C68i/ZdDKjlUoeRATpmIGhjlfwX/gvorTB3SGEMkuWKqRHucHZ4g6mLjxqfHKJkH16NBvcUIW9YMuV9x8l1TkETAnaqguwnFY/YJzB3nPQbuRs62XKadorJP+GrKNgFzTw4UesTatNHMHOYprQDT9nWMuUOGSHguXGtZdFFbmCQT9smj8IKCu5Lga17fb93nxud8UPm+SsYrtgGPjx/MQfGqk [...]
-dipper.private.blink.rules&&&&express&&&&10872&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10871\",\"10865\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10864&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"twnNM4S7+LShivhp2iyZVb4Xm4ErQA0BvqUDN741JdA="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10863&&&&{"aesFlag":1,"varName":"cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wuFzc6RuWAdEfPGMyg1TecBnjYtObODlDycixQ7BhZ2+HRmKZZL+SHqnSqZm3R78udkxlc7BUuH7BjmlFauMMiZ3RAuZ0Fhni4mz4y3caG8="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10007","type":"script","value":"___unixtime_10012=unixtime(scan_time);\n___division_10009=division(___unixtime_10012,3600);\n___cast_10405=cast(___division_1000 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10008","type":"script","value":"retainField(key_time,k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host_uuid,file_gid_name,sid,uid,file_gid,k8snoden [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_window_10001&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_window_10001","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":" [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_bl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10001_script_10001","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,host [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_b [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001_script_10001","type":"script","value":"___!null_10024=!null(host_uuid);\n___!null_10025=!null(pid);\n___!null_1 [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001_rule_10001&&&&{"expressionStr":"((___!null_10024&___!null_10025)&___!null_10026)&___!null_10027","scriptNames":"[]","expressionName":"10875","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_j [...]
-dipper.private.blink.rules&&&&express&&&&10873&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10024\",\"___!null_10025\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10875&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10874\",\"___!null_10027\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10874&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10873\",\"___!null_10026\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10001_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,ho [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10009","type":"script","value":"___null_10042=null(b.cmdline);\nif(___null_10042){___case_10032='';}else{___case_10032=b.cmdline;};\nsub_cmdline=___case_10032;r [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10010","type":"script","value":"docker_file_path=b.docker_file_path;\nfile_uid=b.file_uid;\nparent_cmd_line=b.parent_cmd_line;\ndockerimagename=b.dockerimagenam [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10011","type":"script","value":"___BLACKRULE_10002=BLACKRULE(sub_file_name,sub_cmdline);T.hit_result=udtf.0;T.score=udtf.1;","version":"1.0","extendField":"[]"} [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10012","type":"script","value":"___unixtime_10013=unixtime(scan_time,'yyyy-MM-dd HH:mm:ss');\n___division_10010=division(___unixtime_10013,3600);\n___floor_1000 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10013","type":"script","value":"retainField(score,hit_result,time_win,k8spodname,file_path,dockerimageid,sub_perm,pid,k8snodename,cmdline,euid_name,parent_file_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10014","type":"script","value":"___lower_sub_cmdline_10001=lower(sub_cmdline);\n__compare_value_10003=!((___lower_sub_cmdline_10001,regex,'(http(s)?://100\\.100 [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10004&&&&{"expressionStr":"((__compare_value_10003&___!_10022)&___!_10023)&___!_10024","scriptNames":"[]","expressionName":"10878","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10004","ruleStatus":"0","type":"rule","v [...]
-dipper.private.blink.rules&&&&express&&&&10877&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10876\",\"___!_10023\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10876&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10003\",\"___!_10022\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10878&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10877\",\"___!_10024\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10015","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_scan_time,f [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10016","type":"script","value":"___!null_10028=!null(hit_result);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10005&&&&{"expressionStr":"___!null_10028&(hit_result,<>,'')","scriptNames":"[]","expressionName":"10880","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendFiel [...]
-dipper.private.blink.rules&&&&express&&&&10879&&&&{"aesFlag":1,"varName":"hit_result","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10880&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10028\",\"10879\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_window_10001&&&&{"groupByFieldName":"host_uuid;pid;cmdline;key_time;hit_result","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60","grou [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10017","type":"script","value":"___concat_10013=concat(sub_scan_time,' ',sub_pid,' ',sub_cmdline);\ninfo=___concat_10013;rm('___concat_10013');\nrnk=over_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10018","type":"script","value":"retainField(score,key_time,hit_result,time_win,pid,host_uuid,sub_scan_time,rnk,ppid,info);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10006&&&&{"expressionStr":"rnk,==,double,1","scriptNames":"[]","expressionName":"10881","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10006","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNam [...]
-dipper.private.blink.rules&&&&express&&&&10881&&&&{"varName":"rnk","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_window_10002&&&&{"groupByFieldName":"host_uuid;pid;ppid;key_time;time_win","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_window_10002","type":"window","version":"1.0","windowType":"hop","fireDelaySecond":"30","timeout":"30000","activ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10019","type":"script","value":"retainField(score,key_time,hit_result,cmd_seq_detail_markdown,min_sub_scan_time,time_win,pid,max_sub_scan_time,host_uuid,ppid);" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10020","type":"script","value":"___unixtime_10014=unixtime(max_sub_scan_time);\n___unixtime_10015=unixtime(min_sub_scan_time);\n___subtraction_10007=subtraction [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10021","type":"script","value":"retainField(score,key_time,hit_result,cmd_seq_detail_markdown,time_win,pid,sub_time_delta,host_uuid,ppid);","version":"1.0","ext [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_window_10002&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_window_10002","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":" [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_bl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10002_script_10001","type":"script","value":"___concat_10014=concat(host_uuid,pid,ppid,key_time,time_win);\njoin_key=__ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_left_10002_script_10002","type":"script","value":"retainField(join_key,k8spodname,file_path,dockerimageid,sub_perm,pid,score [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_b [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10002_script_10001","type":"script","value":"___concat_10015=concat(host_uuid,pid,ppid,key_time,time_win);\njoin_key= [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_join_right_10002_script_10002","type":"script","value":"retainField(join_key,score,key_time,hit_result,cmd_seq_detail_markdown,t [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10022","type":"script","value":"hit_result=b.hit_result;\ncmd_seq_detail_markdown=b.cmd_seq_detail_markdown;\nscore=b.score;\nsub_time_delta=b.sub_time_delta;\n [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10023","type":"script","value":"___!null_10029=!null(hit_result);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10007&&&&{"expressionStr":"___!null_10029&(hit_result,!in,'\\'\\',\\'N/A\\'')","scriptNames":"[]","expressionName":"10883","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_rule_10007","ruleStatus":"0","type":"rule","version": [...]
-dipper.private.blink.rules&&&&express&&&&10882&&&&{"aesFlag":1,"varName":"hit_result","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TVEW40h+v56CrjMCEeE0Kg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10883&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10029\",\"10882\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10024","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_time_delta, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10025","type":"script","value":"___BLACKSEQ_10002=BLACKSEQ(hit_result);T.seq_hit_result=udtf.0;T.seq_score=udtf.1;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10026","type":"script","value":"seq_hit_result=T.seq_hit_result;\nseq_score=T.seq_score;\nretainField(seq_hit_result,seq_score,k8spodname,file_path,dockerimagei [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10027","type":"script","value":"___regexp_10104=regex(parent_file_path,'/(script|ttyrec|rootsh|sniffy|ttyrpld|ttysnoop)$');\n___regexp_10105=regex(parent_cmd_li [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10028","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_time_delta, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001_script_10001","type":"script","value":"___cast_10407=cast(is_white,'long');\n___cast_10408=cast(score,'long');\n","versio [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001_rule_10001&&&&{"expressionStr":"((seq_type,in,'\\'para3interactive\\',\\'para3devinteractive\\'')&(___cast_10407,==,double,0))&(___cast_10408,>=,double,6)","scriptNames":"[]","expressionName":"10888","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.a [...]
-dipper.private.blink.rules&&&&express&&&&10888&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10887\",\"10886\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10887&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10884\",\"10885\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10884&&&&{"aesFlag":1,"varName":"seq_type","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Mk7qAUhKoGyVze118b2tIDIiRDM1FG1aAVpXHYEnN/6GbgbJXd4eFfrsmIBbB+0w"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10886&&&&{"varName":"___cast_10408","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10885&&&&{"varName":"___cast_10407","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10001_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdl [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10001","type":"script","value":"___cast_10409=cast(is_white,'long');\n___cast_10410=cast(seq_score,'long');\n___ca [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_rule_10001&&&&{"expressionStr":"(((seq_type,in,'\\'para3black_parent\\',\\'para3other\\'')&(___cast_10409,==,double,0))&(___cast_10410,>,double,6))&(___cast_10411,>=,double,20)","scriptNames":"[]","expressionName":"10895","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sub [...]
-dipper.private.blink.rules&&&&express&&&&10889&&&&{"aesFlag":1,"varName":"seq_type","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBiRJniz05EDVoauyOnrLJ8ZBGOjpUWyHjuu75JfU+IFto/JjA7Cfnv+PqW5AZxD"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10891&&&&{"varName":"___cast_10410","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10890&&&&{"varName":"___cast_10409","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10893&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10889\",\"10890\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10892&&&&{"varName":"___cast_10411","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"20.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10895&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10894\",\"10892\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10894&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10893\",\"10891\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10002","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10003","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdl [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_union_10002_script_10004","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdl [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10029","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_time_delta, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10030","type":"script","value":"___REGEXP_REPLACE_10028=REGEXP_REPLACE(cmdline,'([^\\\\\\:\\>\\-\\&\\@\\=\\%\\s~~~~~\\/\\.\\(\\)\\[\\]]{1})','A');\n___REGEXP_RE [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10031","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_time_delta, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10032","type":"script","value":"___md5_10008=md5(abk_raw);\nabk=___md5_10008;rm('___md5_10008');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10033","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,sub_perm,pid,score,k8snodename,cmdline,euid_name,parent_file_path,sub_time_delta, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10034","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='linux可疑命令序列';\nlevel='high';\n___cast_10412=cast(host_uuid,'string [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10035","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,host_uuid);","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_script_10036","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,host_uuid);","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_sus_shell_cmd_seq_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false"," [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;json_concat_10010&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;json_concat_10010","type":"scri [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;extract_download_source_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.self.extract_download_source","initMethodName":"open","functionName":"extract_download_source","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;extract_download_source_1000 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;salt_hash_10002&&&&{"fullClassName":"com.aliyun.sec.lyra.hsh.udf.ext.SaltHash","initMethodName":"open","functionName":"salt_hash","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert;salt_hash_10002","type":"script", [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_PROC","syncTimeout":"5000","groupName":"blink.source.aegis.proc_adl_sas_apsa [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10001","type":"script","value":"___len_10005=len(cmdline);\n___lower_cmdline_10095=lower(cmdline);\n___lower_file_path_10002=lower(file_path);\n___lower_file_path_10003=l [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10001&&&&{"expressionStr":"((___len_10005,>,double,20)&(cmdline,like,'% %'))&(((((((___lower_cmdline_10095,regex,'(wget|curl|-fssl|cmd.exe /c|open|sh -c |python|powershell|download|reg|mshta|script|bitsadmin|certutil|msiexec|\\\\./\\\\S+)')|(file_path,==,'/usr/bin/wget'))|(file_path,==,'/usr/bin/curl'))|(___lower_file_path_10002,like,'%/powershell.exe'))|(___lower_file_path_10003,like [...]
-dipper.private.blink.rules&&&&express&&&&10907&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10906\",\"10900\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10906&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10898\",\"10899\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10909&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10908\",\"10902\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10908&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10907\",\"10901\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10899&&&&{"aesFlag":1,"varName":"file_path","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"deLRgYjbwrFSyX//riHo4w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10910&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10909\",\"10903\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10898&&&&{"aesFlag":1,"varName":"___lower_cmdline_10095","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0uvJBH6+fDDtwCWrHQ+dPZeLoQwm14fqsWar0apbTvZqPS68JcCV/GFB/m6qt+Dc3mWMu/97JHHRHRXxcpCGyDEbl6BnhXb0u27hjkxY6BBjY6SmYIg1G1g1War6IoDV8iH8k9macCQiSissb5V9WkLZc3MDjEKPt+dS9kN6vRY="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10901&&&&{"aesFlag":1,"varName":"___lower_file_path_10002","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NivVtcGftc/lRYpOj0WVRRSAei8gV+LJX4QrURhgtNg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10912&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10905\",\"10911\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10900&&&&{"aesFlag":1,"varName":"file_path","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"e1sQFEbJ2l0YWqhd8z+LJQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10911&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10910\",\"10904\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10903&&&&{"aesFlag":1,"varName":"parent_file_path","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"l13p3ml25iJF9CbtbZzOYg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10902&&&&{"aesFlag":1,"varName":"___lower_file_path_10003","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EQvgfH+iOJ2sUlmt4GPiHg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10905&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10896\",\"10897\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10904&&&&{"aesFlag":1,"varName":"parent_file_path","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"kXriqf/MFpHp8VdhL41WYw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10897&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8mcwLkiCoiJXKb4UZc1uNQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10896&&&&{"varName":"___len_10005","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"20.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10002","type":"script","value":"uuid=host_uuid;\npfile_path=parent_file_path;\npcmdline=parent_cmd_line;\nuser_name=euid_name;\nlogTime=scan_time;\ncontainerid=dockercont [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10003","type":"script","value":"retainField(file_path,pfile_path,cmdline,user_name,pid,k8snodeid,k8sclusterid,containerid,uuid,pcmdline,ppid,logTime);","version":"1.0","e [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10004","type":"script","value":"___EXTRACT_DOWNLOAD_SOURCE_10001=EXTRACT_DOWNLOAD_SOURCE(cmdline);T.cmdline=udtf.0;T.url=udtf.1;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10005","type":"script","value":"cmdline=cmdline;\nurl=T.url;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10006","type":"script","value":"retainField(file_path,user_name,pid,k8snodeid,k8sclusterid,uuid,url,ppid,logTime,pfile_path,cmdline,containerid,pcmdline);","version":"1.0 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10007","type":"script","value":"___lower_url_10001=lower(url);\n___!_10025=!((___lower_url_10001,regex,'(zabbix|notice\\\\.json|action\\\\.json|\\\\.shtml|\\\\.m3u8|51xia [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10002&&&&{"expressionStr":"(___!_10025)","scriptNames":"[]","expressionName":"10914","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10914&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10913\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10913&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10025\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10008","type":"script","value":"retainField(file_path,user_name,pid,k8snodeid,k8sclusterid,uuid,url,ppid,logTime,pfile_path,cmdline,containerid,pcmdline);","version":"1.0 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10009","type":"script","value":"___lower_url_10002=lower(url);\n___trim_10004=trim(___lower_url_10002);\nurl=___trim_10004;rm('___trim_10004');\n","version":"1.0","extend [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10010","type":"script","value":"retainField(file_path,user_name,pid,k8snodeid,k8sclusterid,uuid,url,ppid,logTime,pfile_path,cmdline,containerid,pcmdline);","version":"1.0 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10011","type":"script","value":"___!null_10030=!null(url);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10003&&&&{"expressionStr":"(___!null_10030)","scriptNames":"[]","expressionName":"10916","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"} [...]
-dipper.private.blink.rules&&&&express&&&&10916&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10915\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10915&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10030\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10012","type":"script","value":"retainField(file_path,pfile_path,cmdline,user_name,pid,uuid,pcmdline,url,ppid,logTime);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10013","type":"script","value":"___SALT_HASH_10002=SALT_HASH(url);;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&dataSource&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_dataSource_10001&&&&{"className":"com.aliyun.yundun.dipper.configurable.http.resource.JDBCDataSource","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_dataSource_10001","userName":"intelligence.rds.jdbc.username","type":"dataSource","version":"1.0","url":"intelligence.rds.jdbc.url","timeout":"30000","activtyTimeOut":"3000","password":"intelligence.rds.jd [...]
-dipper.private.blink.rules&&&&intelligence&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_intelligence_10001&&&&{"className":"com.aliyun.filter.intelligence.URLIntelligenceCache","pollingTimeMintue":"30","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_intelligence_10001","idFieldName":"id","batchSize":"3000","datasourceName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_dataSource_1 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10014","type":"script","value":"intelligence('dipper.private.blink.rules','blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_intelligence_10001',___SALT_HASH_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10015","type":"script","value":"___!null_10031=!null(url);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10004&&&&{"expressionStr":"___!null_10031&(p.is_malicious_source,in,'\\'1\\'')","scriptNames":"[]","expressionName":"10918","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","ex [...]
-dipper.private.blink.rules&&&&express&&&&10918&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10031\",\"10917\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10917&&&&{"aesFlag":1,"varName":"p.is_malicious_source","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10016","type":"script","value":"gmt_create=logTime;\ngmt_modified=logTime;\nurl=url;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10017","type":"script","value":"retainField(gmt_create,file_path,pfile_path,cmdline,user_name,pid,gmt_modified,uuid,pcmdline,url,ppid);","version":"1.0","extendField":"[] [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10018","type":"script","value":"ali_uid='-';\nclient_ip='-';\nevent_type='威胁情报';\nevent_name='访问恶意下载源(2)';\nlevel='high';\n___cast_10456=cast(pfile_path,'string');\n___ca [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_script_10019","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_intelligence_url_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInO [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"fal [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2;json_concat_10011&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2;json_concat_10011","t [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxF [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10001","type":"script","value":"logtime=scan_time;\nuuid=host_uuid;\nproc_name=file_name;\ncmd=cmdline;\npproc_name=parent_file_name;\npcmd=parent_cmd_line;\npe [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10002","type":"script","value":"retainField(pexe,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10003","type":"script","value":"___lower_proc_name_10004=lower(proc_name);\n___lower_pproc_name_10005=lower(pproc_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10001&&&&{"expressionStr":"(((((___lower_proc_name_10004,like,'%.exe')|(___lower_pproc_name_10005,like,'%.exe'))|(pexe,like,'_:/%'))|(ppexe,like,'_:/%'))|(pexe,like,'//%'))|(ppexe,like,'//%')","scriptNames":"[]","expressionName":"10929","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink. [...]
-dipper.private.blink.rules&&&&express&&&&10921&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10920&&&&{"aesFlag":1,"varName":"___lower_pproc_name_10005","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10923&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10922&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10925&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10919\",\"10920\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10924&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10927&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10926\",\"10922\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10926&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10925\",\"10921\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10929&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10928\",\"10924\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10928&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10927\",\"10923\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10919&&&&{"aesFlag":1,"varName":"___lower_proc_name_10004","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10004","type":"script","value":"data_type='online';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10005","type":"script","value":"retainField(pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[] [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10002&&&&{"expressionStr":"data_type,==,'online'","scriptNames":"[]","expressionName":"10930","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","act [...]
-dipper.private.blink.rules&&&&express&&&&10930&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MhriRxEga5GjFlRBwhEN4Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10006","type":"script","value":"___lower_proc_name_10005=lower(proc_name);\nclean_proc=___lower_proc_name_10005;rm('___lower_proc_name_10005');\n___lower_pproc_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10007","type":"script","value":"retainField(clean_proc,clean_pproc,clean_cmd,pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);", [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10003&&&&{"expressionStr":"clean_pproc,<>,'cmd.exe'","scriptNames":"[]","expressionName":"10931","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]"," [...]
-dipper.private.blink.rules&&&&express&&&&10931&&&&{"aesFlag":1,"varName":"clean_pproc","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"/Ds+jB1sW7F7xphJLmyPRw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10008","type":"script","value":"___compare_10041=equals(clean_proc,'cmd.exe');\n___compare_10042=equals(clean_proc,'powershell.exe');\nif(((___compare_10041&(cl [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10009","type":"script","value":"retainField(cmd_c,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,data_type,cmd,aliuid,proc_name,logtime,pc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10010","type":"script","value":"___regexp_10122=regex(clean_cmd,'(\\s|&|~~~~~)(qprocess|tasklist)(\\.exe)?(\\s|&|~~~~~|$)');\n___compare_10043=equals(clean_proc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10011","type":"script","value":"retainField(clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliuid,proc_name,logtime,pc [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10004&&&&{"expressionStr":"sub_proc,<>,''","scriptNames":"[]","expressionName":"10932","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionName [...]
-dipper.private.blink.rules&&&&express&&&&10932&&&&{"aesFlag":1,"varName":"sub_proc","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10012","type":"script","value":"retainField(clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliuid,proc_name,logtime,pc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10013","type":"script","value":"retainField(clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliuid,proc_name,logtime,pc [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10014","type":"script","value":"___unixtime_10016=unixtime(logtime);\n___cast_10465=cast(___unixtime_10016,'long');\n___multiplication_10011=multiplication(60,6 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10015","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliuid,proc_name, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10016","type":"script","value":"___concat_10017=concat(uuid,' - ',time_part,' - ',pcmd,' - ',ppid);\n___md5_10009=md5(___concat_10017);\n___concat_10018=concat( [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10017","type":"script","value":"retainField(session_key,time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliui [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10018","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,session_key,cmd_c,data_type,cmd,aliui [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10001&&&&{"groupByFieldName":"session_key;sub_proc","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60","groupMap":"[]","slideInte [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10019","type":"script","value":"tmp_asdu1yd12=over_parition_10004;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10020","type":"script","value":"retainField(tmp_asdu1yd12,time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,session_key,cmd_c,data_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10005&&&&{"expressionStr":"tmp_asdu1yd12,<=,double,5","scriptNames":"[]","expressionName":"10933","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]", [...]
-dipper.private.blink.rules&&&&express&&&&10933&&&&{"varName":"tmp_asdu1yd12","functionName":"<=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10021","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,tmp_asdu1yd12,pexe,clean_pproc,session_key,cmd_c,data_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10022","type":"script","value":"___unixtime_10017=unixtime(logtime);\n___cast_10467=cast(___unixtime_10017,'long');\n___multiplication_10013=multiplication(60,6 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10023","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliuid,proc_name, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10024","type":"script","value":"___concat_10019=concat(uuid,' - ',time_part,' - ',pcmd,' - ',ppid);\n___md5_10010=md5(___concat_10019);\n___concat_10020=concat( [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10025","type":"script","value":"retainField(session_key,time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,cmd_c,data_type,cmd,aliui [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10026","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,session_key,cmd_c,data_type,cmd,aliui [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10002&&&&{"groupByFieldName":"session_key;sub_proc","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10002","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60","groupMap":"[]","slideInte [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10027","type":"script","value":"tmp_asdu1yd12=over_parition_10005;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10028","type":"script","value":"retainField(tmp_asdu1yd12,time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,pexe,clean_pproc,session_key,cmd_c,data_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10006&&&&{"expressionStr":"tmp_asdu1yd12,<=,double,5","scriptNames":"[]","expressionName":"10934","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10006","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]", [...]
-dipper.private.blink.rules&&&&express&&&&10934&&&&{"varName":"tmp_asdu1yd12","functionName":"<=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10029","type":"script","value":"retainField(time_part,clean_cmd,pid,ppexe,uuid,pproc_name,ppid,clean_proc,tmp_asdu1yd12,pexe,clean_pproc,session_key,cmd_c,data_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10001_script_10001","type":"script","value":"retainField(pid,ppexe,uuid,pproc_name,ppid,pexe,data_type,session_key,cmd,proc_nam [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_union_10002_script_10001","type":"script","value":"retainField(pid,ppexe,uuid,pproc_name,ppid,pexe,data_type,session_key,cmd,proc_nam [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10003&&&&{"groupByFieldName":"session_key","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_window_10003","type":"window","version":"1.0","windowType":"hop","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeIn [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10030","type":"script","value":"retainField(cmd_cnt,sub_proc_detail,sub_proc_cnt,session_key,max_time,ppexe,uuid,pproc_name,min_time,pcmd,sub_proc_all,ppid);"," [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10007&&&&{"expressionStr":"sub_proc_cnt,>=,double,2","scriptNames":"[]","expressionName":"10935","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10007","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]"," [...]
-dipper.private.blink.rules&&&&express&&&&10935&&&&{"varName":"sub_proc_cnt","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10031","type":"script","value":"retainField(cmd_cnt,sub_proc_detail,sub_proc_cnt,session_key,max_time,ppexe,uuid,pproc_name,min_time,pcmd,sub_proc_all,ppid);"," [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10008&&&&{"expressionStr":"sub_proc_cnt,>=,double,2","scriptNames":"[]","expressionName":"10936","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10008","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]"," [...]
-dipper.private.blink.rules&&&&express&&&&10936&&&&{"varName":"sub_proc_cnt","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10032","type":"script","value":"___lower_pproc_name_10007=lower(pproc_name);\nclean_pproc=___lower_pproc_name_10007;rm('___lower_pproc_name_10007');\n","version [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10033","type":"script","value":"retainField(clean_pproc,cmd_cnt,sub_proc_detail,sub_proc_cnt,session_key,max_time,ppexe,uuid,pproc_name,min_time,pcmd,sub_proc_a [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10034","type":"script","value":"___regexp_10135=regex(clean_pproc,'^(java|tomcat|w3wp|oracle|redis|tomcat|php\\-cgi|httpd|jboss|mysqld|sqlsgent|node|openfired|n [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10035","type":"script","value":"retainField(sub_proc_detail,ppexe,uuid,pproc_name,min_time,ppid,cmd_cnt,sub_proc_cnt,clean_pproc,session_key,max_time,pcmd,sub_p [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10036","type":"script","value":"___regexp_10136=regex(sub_proc_all,'\\b(quser)\\b');\n___regexp_10137=regex(sub_proc_all,'\\b(tasklist|netstat|systeminfo|ipconf [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10037","type":"script","value":"retainField(is_intrude,sub_proc_detail,ppexe,is_vuln_pproc,uuid,pproc_name,min_time,ppid,cmd_cnt,sub_proc_cnt,clean_pproc,sessio [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10009&&&&{"expressionStr":"is_intrude,==,'v3'","scriptNames":"[]","expressionName":"10937","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_rule_10009","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","action [...]
-dipper.private.blink.rules&&&&express&&&&10937&&&&{"aesFlag":1,"varName":"is_intrude","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5vloiBx+f0j7E1ntp8Fn0g=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10038","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='可疑CMD命令序列(2)';\nlevel='medium';\n___cast_10469=cast(session_key,'s [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_script_10039","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendFie [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_cmd_proc_shell_alert_v2_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false"," [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSq [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;sas_black_rule_v3_10002&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v3","initMethodName":"open","functionName":"sas_black_rule_v3","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;sas_black_rule_v3_10002","type":"scr [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;b64_auto_10005&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;b64_auto_10005","type":"script","version":"1.0","closeMethodNam [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;instr_10003&&&&{"fullClassName":"com.lyra.xs.udf.ext.instr","initMethodName":"open","functionName":"instr","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;instr_10003","type":"script","version":"1.0","closeMethodName":"close"," [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;json_concat_10012&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert;json_concat_10012","type":"script","version":"1 [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","s [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10001","type":"script","value":"logtime=scan_time;\nuuid=host_uuid;\nproc_name=file_name;\ncmd=cmdline;\npproc_name=parent_file_name;\npcmd=parent_cmd_line;\npexe=file_path;\nppexe=paren [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10002","type":"script","value":"retainField(pexe,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10003","type":"script","value":"___lower_proc_name_10006=lower(proc_name);\n___lower_pproc_name_10008=lower(pproc_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10001&&&&{"expressionStr":"(((((___lower_proc_name_10006,like,'%.exe')|(___lower_pproc_name_10008,like,'%.exe'))|(pexe,like,'_:/%'))|(ppexe,like,'_:/%'))|(pexe,like,'//%'))|(ppexe,like,'//%')","scriptNames":"[]","expressionName":"10948","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis. [...]
-dipper.private.blink.rules&&&&express&&&&10943&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10942&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dZof4o+5XqLmguDMF556hA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10945&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10944\",\"10940\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10944&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10938\",\"10939\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10947&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10946\",\"10942\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10946&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10945\",\"10941\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10938&&&&{"aesFlag":1,"varName":"___lower_proc_name_10006","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10948&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10947\",\"10943\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10939&&&&{"aesFlag":1,"varName":"___lower_pproc_name_10008","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10941&&&&{"aesFlag":1,"varName":"ppexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10940&&&&{"aesFlag":1,"varName":"pexe","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10004","type":"script","value":"data_type='online';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10005","type":"script","value":"retainField(pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10002&&&&{"expressionStr":"data_type,==,'online'","scriptNames":"[]","expressionName":"10949","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10949&&&&{"aesFlag":1,"varName":"data_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MhriRxEga5GjFlRBwhEN4Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10006","type":"script","value":"retainField(pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10007","type":"script","value":"___unixtime_10018=unixtime(logtime);\nunixtime=___unixtime_10018;rm('___unixtime_10018');\n___lower_proc_name_10007=lower(proc_name);\nclean_proc=___lower [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10008","type":"script","value":"retainField(unixtime,clean_proc,clean_cmd_noquote,clean_pproc,pexe,data_type,pid,cmd,aliuid,proc_name,ppexe,logtime,uuid,pproc_name,pcmd,ppid);","version" [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10009","type":"script","value":"___multiplication_10017=multiplication(60,60);\n___multiplication_10018=multiplication(___multiplication_10017,24);\n___division_10013=division(unixtime,_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10010","type":"script","value":"retainField(shot_pcmd,timepart_1hour,log_uid,timepart_1day,unixtime,pid,ppexe,uuid,pproc_name,ppid,clean_proc,clean_cmd_noquote,pexe,clean_pproc,data_type [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_rule_10001&&&&{"expressionStr":"data_type,<>,'online'","scriptNames":"[]","expressionName":"10950","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","ex [...]
-dipper.private.blink.rules&&&&express&&&&10950&&&&{"aesFlag":1,"varName":"data_type","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MhriRxEga5GjFlRBwhEN4Q=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='';\np2_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10001_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aegis. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10002_script_10001","type":"script","value":"___null_10044=null(p2_logtime);\nif(___null_10044){___if_v3_10019=''}else{___if_v3_10019=p2_logtime};\np2_lo [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10002_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_rule_10001&&&&{"expressionStr":"step_2_continue,==,boolean,false","scriptNames":"[]","expressionName":"10951","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_rule_10001","ruleStatus":"0","type":"rule","version [...]
-dipper.private.blink.rules&&&&express&&&&10951&&&&{"varName":"step_2_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='';\np2_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10003_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_rule_10001&&&&{"expressionStr":"step_3_continue,==,boolean,false","scriptNames":"[]","expressionName":"10952","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_rule_10001","ruleStatus":"0","type":"rule","version [...]
-dipper.private.blink.rules&&&&express&&&&10952&&&&{"varName":"step_3_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_script_10001","type":"script","value":"___null_10062=null(p2_logtime);\nif(___null_10062){___if_v_tmp_ayd871y7dy12_10010=''}else{___if_v_tmp_ayd871 [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10004_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe, [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005_rule_10001&&&&{"expressionStr":"chain_level,in,'\\'p2\\',\\'p3\\''","scriptNames":"[]","expressionName":"10953","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005_rule_10001","ruleStatus":"0","type":"rule","versi [...]
-dipper.private.blink.rules&&&&express&&&&10953&&&&{"aesFlag":1,"varName":"chain_level","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"H2zd1kq1OIhVTUDIiE4pYw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10005_script_10001","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,aliuid,p2_proc_name,p2_pcm [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10006&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aegis. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10006_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10006_script_10001","type":"script","value":"p2_logtime='';\np2_proc_name='';\np2_cmd='';\np2_pproc_name='';\np2_pcmd='';\np2_pexe='';\np2_ppexe='';\np2_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10006_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10006_script_10002","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,aliuid,p2_proc_name,p2_pcm [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10003&&&&{"expressionStr":"clean_proc,in,'\\'cmd.exe\\',\\'powershell.exe\\''","scriptNames":"[]","expressionName":"10954","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]"," [...]
-dipper.private.blink.rules&&&&express&&&&10954&&&&{"aesFlag":1,"varName":"clean_proc","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YGeHkwJkc4xJFjK1BtvAndrjJb4sJfqN+JRKfoTDfew="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10011","type":"script","value":"retainField(unixtime,shot_pcmd,timepart_1day,pid,ppexe,uuid,pproc_name,ppid,clean_proc,timepart_1hour,clean_cmd_noquote,log_uid,pexe,clean_pproc,data_type [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10012","type":"script","value":"___lower_pproc_name_10010=lower(pproc_name);\n___in_10033=contain(___lower_pproc_name_10010,'cmd.exe','powershell.exe')\n;if(___in_10033){___if_v0_10002=t [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10013","type":"script","value":"retainField(step_2_continue,unixtime,shot_pcmd,timepart_1day,pid,ppexe,uuid,pproc_name,ppid,clean_proc,timepart_1hour,clean_cmd_noquote,log_uid,pexe,clean [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_window_10001&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_window_10001","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":"[]","extendField":"[]","gr [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\", [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_rule_10001&&&&{"expressionStr":"step_2_continue,==,boolean,true","scriptNames":"[]","expressionName":"10955","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_rule_10001","ruleStatus":"0","type":"rule"," [...]
-dipper.private.blink.rules&&&&express&&&&10955&&&&{"varName":"step_2_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"true"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_script_10001","type":"script","value":"___uuid_10004=uuid();\n___concat_10022=concat(uuid,___uuid_10004);\nthe_uuid_dayd71y28y17=___concat_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10001_script_10002","type":"script","value":"retainField(the_uuid_dayd71y28y17,unixtime,step_2_continue,shot_pcmd,timepart_1day,pid,ppexe,uuid,pp [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_right_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.WindowChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"window\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.source.aegis.proc_adl_sa [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10014","type":"script","value":"p2_logtime=b.logtime;\np2_unixtime=b.unixtime;\np2_uuid=b.uuid;\np2_proc_name=b.proc_name;\np2_cmd=b.cmd;\np2_pproc_name=b.pproc_name;\np2_pcmd=b.pcmd;\np [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10015","type":"script","value":"aliuid=b.aliuid;\nclean_cmd_noquote=b.clean_cmd_noquote;\ntimepart_1day=b.timepart_1day;\ntimepart_1hour=b.timepart_1hour;\ndata_type=b.data_type;\nretain [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10004&&&&{"expressionStr":"r_Dau8d192yd712yd7,==,double,1","scriptNames":"[]","expressionName":"10956","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10956&&&&{"varName":"r_Dau8d192yd712yd7","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10016","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,p2_clean_proc,timepart_1day,pid,ppexe,uuid,p2_unixtime,timepart_1hour,pexe,aliuid,p2_proc_name,p2_pc [...]
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_window_10002&&&&{"waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.JoinWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_window_10002","type":"window","retainWindowCount":"6","windowType":"tumble","timeout":"30000","sizeInterval":"8","isAutoFlush":"false","nameSpace":"dipper.private.blink.rules","havingMap":"[]","extendField":"[]","gr [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\", [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002_rule_10001&&&&{"expressionStr":"step_3_continue,==,boolean,true","scriptNames":"[]","expressionName":"10957","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002_rule_10001","ruleStatus":"0","type":"rule"," [...]
-dipper.private.blink.rules&&&&express&&&&10957&&&&{"varName":"step_3_continue","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"true"}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_left_10002_script_10001","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,timepart_1day,p2_clean_proc,pid,ppexe,uuid,p2_ [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_join_right_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.WindowChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"window\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.source.aegis.proc_adl_sa [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10017","type":"script","value":"p3_logtime=b.logtime;\np3_unixtime=b.unixtime;\np3_uuid=b.uuid;\np3_proc_name=b.proc_name;\np3_cmd=b.cmd;\np3_pproc_name=b.pproc_name;\np3_pcmd=b.pcmd;\np [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10018","type":"script","value":"clean_proc=b.clean_proc;\nclean_cmd_noquote=b.clean_cmd_noquote;\ntimepart_1day=b.timepart_1day;\ndata_type=b.data_type;\nlog_uid=b.log_uid;\naliuid=b.ali [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10005&&&&{"expressionStr":"r_Dadu1y2871yd2821tg28,==,double,1","scriptNames":"[]","expressionName":"10958","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[] [...]
-dipper.private.blink.rules&&&&express&&&&10958&&&&{"varName":"r_Dadu1y2871yd2821tg28","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10019","type":"script","value":"retainField(unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,p3_uuid,p3_shot_pcmd,pid,uuid,p2_unixtime,timepart_1hour,p3_pid,step_3_continue,pexe,p2_proc_name,r_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10020","type":"script","value":"___lower_p2_pproc_name_10002=lower(p2_pproc_name);\n___in_10034=contain(___lower_p2_pproc_name_10002,'cmd.exe','powershell.exe')\n;if(___in_10034){___if_v [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10021","type":"script","value":"retainField(step_3_continue,unixtime,p2_pid,shot_pcmd,p2_ppid,p2_pexe,timepart_1day,p2_clean_proc,pid,ppexe,uuid,p2_unixtime,timepart_1hour,pexe,p2_proc_n [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10007&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aegis. [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10007_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10007_script_10001","type":"script","value":"chain_level='p1';\nchain_pproc_name=pproc_name;\nchain_pcmd=pcmd;\nchain_ppexe=ppexe;\nchain_ppid=ppid;\n"," [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10007_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10007_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,uuid,p3_pid,pexe,aliu [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_rule_10001&&&&{"expressionStr":"p2_pproc_name,<>,''","scriptNames":"[]","expressionName":"10959","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&10959&&&&{"aesFlag":1,"varName":"p2_pproc_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_script_10001","type":"script","value":"chain_level='p2';\nchain_pproc_name=p2_pproc_name;\nchain_pcmd=p2_pcmd;\nchain_ppexe=p2_ppexe;\nchain_ppid=p [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10008_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_pexe,pid,p3_ppexe,ppexe,uuid,p3_pid,pexe,aliuid [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\" [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_rule_10001&&&&{"expressionStr":"p3_pproc_name,<>,''","scriptNames":"[]","expressionName":"10960","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&10960&&&&{"aesFlag":1,"varName":"p3_pproc_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_script_10001","type":"script","value":"chain_level='p3';\nchain_pproc_name=p3_pproc_name;\nchain_pcmd=p3_pcmd;\nchain_ppexe=p3_ppexe;\nchain_ppid=p [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_union_10009_script_10002","type":"script","value":"retainField(chain_pcmd,chain_ppid,chain_pproc_name,p2_pid,p2_ppid,p2_pexe,pid,ppexe,uuid,p3_pid,pexe,aliuid, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10022","type":"script","value":"retainField(chain_ppid,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,ppexe,uuid,chain_pcmd,p3_pid,pexe,aliuid,p2_proc_name,p2_pcmd,p2_ppexe,p3_cmd,p3_ppid,p3_proc_n [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10023","type":"script","value":"___REGEXP_EXTRACT_10005=REGEXP_EXTRACT(cmd,'([a-zA-Z0-9\\/+=]{80,})',1);\ncmd_b64_raw=___REGEXP_EXTRACT_10005;rm('___REGEXP_EXTRACT_10005');\n___lower_pro [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10024","type":"script","value":"retainField(clean_proc,log_uuid,clean_pexe,clean_chain_pproc,clean_chain_pcmd,cmd_b64_raw,clean_pproc,clean_cmd,clean_chain_ppexe,p2_pid,p2_ppid,p2_pexe,p [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10025","type":"script","value":"___null_10071=null(cmd_b64_raw);\nif(___null_10071){___if_proc_log_union_10004=''}else{___if_proc_log_union_10004=cmd_b64_raw};\n___B64_AUTO_10004=B64_AUT [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10026","type":"script","value":"retainField(b64_decode_raw,p2_pid,p2_ppid,p2_pexe,clean_cmd,pid,p3_ppexe,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,p3_pid,pexe,cmd [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10027","type":"script","value":"___lower_b64_decode_raw_10002=lower(b64_decode_raw);\nb64_decode=___lower_b64_decode_raw_10002;rm('___lower_b64_decode_raw_10002');\n___!null_10032=!null( [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10028","type":"script","value":"retainField(b64_decode,p2_pid,p2_ppid,p2_pexe,clean_cmd,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,log_uuid,clean_chain_pproc,clean_chain_pcmd,p3_pid, [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10029","type":"script","value":"___compare_10056=equals(b64_decode,'');\n___concat_10023=concat(clean_cmd,' / ',b64_decode);\nif(___compare_10056){___if_proc_log_union_10006=clean_cmd}el [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10030","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,p3_pid,pexe,clean_chain_ppexe,p2_proc_name,b64_decode_raw,p2_ppexe,clean_pexe,p3_cmd,p3 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10031","type":"script","value":"_sep1='|';\nblack_feature_number=234;\ntmp_1='1';\ntmp_2='2';\ntmp_3='3';\ntmp_4='4';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10032","type":"script","value":"retainField(_sep1,black_feature_number,tmp_4,p2_pid,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,p3_pid,pexe,clean_chain_ppexe,p2_proc_name,b64_decode_ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10033","type":"script","value":"___cast_10481=cast(black_feature_number,'string');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10034","type":"script","value":"retainField(p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,p3_pid,pexe,clean_chain_ppexe,tmp_4,p2_proc_name,tmp_1,tmp_3,tmp_2,b64_decode_raw [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10035","type":"script","value":"___compare_10057=equals(clean_proc,'powershell.exe');\n___compare_10058=equals(clean_proc,'cmd.exe');\n___regexp_10162=regex(clean_cmd,'/c.+\\b(powershell [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10036","type":"script","value":"retainField(cmd_msbuild,p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,p3_pid,pexe,clean_chain_ppexe,tmp_4,p2_proc_name,tmp_1,tmp_3,tmp_2,b6 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10037","type":"script","value":"___regexp_10174=regex(clean_chain_pproc,'^javaw?\\.exe$');\n___compare_10083=equals(clean_chain_pproc,'jbossservice.exe');\n___regexp_10175=regex(clean_ch [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10038","type":"script","value":"retainField(ext_0,p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,clean_chain_ppexe,tmp_4,cmd_cscript,p2_proc_name,tm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10039","type":"script","value":"___!null_10033=!null(ext_0);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10006&&&&{"expressionStr":"___!null_10033&(ext_0,<>,'')","scriptNames":"[]","expressionName":"10962","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10006","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10961&&&&{"aesFlag":1,"varName":"ext_0","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10962&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10033\",\"10961\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10040&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10040","type":"script","value":"retainField(p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,clean_chain_ppexe,tmp_4,cmd_cscript,p2_proc_name,tmp_1,tm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10041&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10041","type":"script","value":"___cast_10482=cast(uuid,'string');\nuuid=___cast_10482;rm('___cast_10482');\n___cast_10483=cast(logtime,'string');\nlogtime=___cast_10483;rm('___cast_1048 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10042&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10042","type":"script","value":"retainField(p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,tmp_4,clean_chain_ppexe,cmd_cscript,p2_proc_name,tmp_1,tm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10043&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10043","type":"script","value":"___concat_10026=concat(clean_cmd,p2_cmd,p2_pexe,p2_ppexe,p3_cmd,p3_pcmd);\n___lower____concat_10026_10001=lower(___concat_10026);\n___!_10044=!((((((((((( [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10007&&&&{"expressionStr":"(___!_10044)","scriptNames":"[]","expressionName":"10964","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10007","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10964&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10963\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10963&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10044\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10044&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10044","type":"script","value":"_tmp_qweyhkuyiyiuy='@';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10045&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10045","type":"script","value":"retainField(_tmp_qweyhkuyiyiuy,p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,tmp_4,clean_chain_ppexe,cmd_cscript,p2 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10046&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10046","type":"script","value":"if((ext_0,like,'%|cmd_cmd_obfs|%')){___case_10082='命令混淆';}else{___case_10082='';};\nif((ext_0,like,'%|tool_cmd_pingswap|%')){___case_10083='no_body';}else [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10047&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10047","type":"script","value":"retainField(p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,tmp_4,clean_chain_ppexe,cmd_cscript,p2_proc_name,tmp_1,tm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10048&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10048","type":"script","value":"___STRING_SPLIT_10002=STRING_SPLIT(threat_type_all,_tmp_qweyhkuyiyiuy);T.v=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10049&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10049","type":"script","value":"___trim_10005=trim(T.v);\nthreat_type=___trim_10005;rm('___trim_10005');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10050&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10050","type":"script","value":"retainField(threat_type,p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,tmp_4,clean_chain_ppexe,cmd_cscript,p2_proc_n [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10051&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10051","type":"script","value":"___!null_10034=!null(threat_type);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10008&&&&{"expressionStr":"___!null_10034&(threat_type,regex,'\\S+')","scriptNames":"[]","expressionName":"10966","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10008","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNam [...]
-dipper.private.blink.rules&&&&express&&&&10965&&&&{"aesFlag":1,"varName":"threat_type","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BhPVyKanBl/NbolFClSKRQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10966&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10034\",\"10965\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10052&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10052","type":"script","value":"retainField(p2_pid,_sep1,p2_ppid,p2_pexe,pid,script_path,uuid,chain_pcmd,cmd_wscript,p3_pid,pexe,tmp_4,clean_chain_ppexe,cmd_cscript,p2_proc_name,tmp_1,tm [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10053&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10053","type":"script","value":"the_version='20210120';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10054&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10054","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,p2_pcmd,threat_type_al [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10055&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10055","type":"script","value":"___!null_10035=!null(threat_type);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10009&&&&{"expressionStr":"___!null_10035&(threat_type,<>,'')","scriptNames":"[]","expressionName":"10968","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10009","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[] [...]
-dipper.private.blink.rules&&&&express&&&&10967&&&&{"aesFlag":1,"varName":"threat_type","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10968&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10035\",\"10967\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10056&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10056","type":"script","value":"___compare_10218=equals(p2_pproc_name,'');\n___compare_10219=equals(p3_pproc_name,'');\n___concat_10027=concat('[',p2_pproc_name,'] -> [',pproc_name,'] -> [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10057&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10057","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,p2_pcmd,threat_type_al [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10058&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10058","type":"script","value":"___lower_pcmd_10005=lower(pcmd);\n___lower_cmd_10020=lower(cmd);\n___lower_cmd_10021=lower(cmd);\n___!_10070=!(((aliuid,==,'1142026142908714')&(((___lower [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10010&&&&{"expressionStr":"(___!_10070)","scriptNames":"[]","expressionName":"10970","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10010","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10969&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10070\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10970&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10969\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10059&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10059","type":"script","value":"___in_10065=contain(threat_type,'uninstall_av','修改defender配置')\n;___in_10066=contain(threat_type,'可疑的注册表操作','可疑的注册表操作_2')\n;___in_10067=contain(threat_typ [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10060&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10060","type":"script","value":"retainField(event_name,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,p2_pcmd,thr [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10061&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10061","type":"script","value":"___md5_10011=md5(abk_raw);\nabk=___md5_10011;rm('___md5_10011');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10062&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10062","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,abk_raw,p2_pcmd,threat [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10011&&&&{"expressionStr":"event_name,<>,''","scriptNames":"[]","expressionName":"10971","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10011","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10971&&&&{"aesFlag":1,"varName":"event_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_window_10001&&&&{"groupByFieldName":"uuid;event_name;abk;___cast_10559","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60","groupMap":"[]","slideInterval":"60","i [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10063&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10063","type":"script","value":"___unixtime_10019=unixtime(logtime);\n___multiplication_10023=multiplication(30,1);\n___division_10015=division(___unixtime_10019,___multiplication_10023) [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10064&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10064","type":"script","value":"retainField(r_dasud891ud912,p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,abk_ra [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10012&&&&{"expressionStr":"r_dasud891ud912,==,double,1","scriptNames":"[]","expressionName":"10972","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_rule_10012","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10972&&&&{"varName":"r_dasud891ud912","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10065&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10065","type":"script","value":"retainField(p2_pid,p2_ppid,p2_pexe,pid,p3_ppexe,script_path,ppexe,uuid,chain_pcmd,p3_pid,ext_0,pexe,threat_type,aliuid,p2_proc_name,abk_raw,p2_pcmd,threat [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10066&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10066","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nlevel='high';\n___cast_10560=cast(uuid,'string');\n___cast_10561=cast(logtime,'string');\n___cast_10562= [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10067&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_script_10067","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_adl_sas_apsara_win_proc_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","ma [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableNa [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd;json_concat_10013&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd;json_concat_10013","type":"script","version":"1.0","close [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd;b64_auto_10006&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd;b64_auto_10006","type":"script","version":"1.0","closeMethodName":"close" [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd","pullIntervalMs":"100","isBatchM [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10001","type":"script","value":"___lower_cwd_10001=lower(cwd);\n__compare_value_10007=!((___lower_cwd_10001,regex,'aliyun-assist|securecheck|aegis|aliyun|beaver'))\n;","version":"1.0","extendField [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10001&&&&{"expressionStr":"(__compare_value_10007)","scriptNames":"[]","expressionName":"10974","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10974&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10973\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10973&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10007\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10002","type":"script","value":"uuid=host_uuid;\nfilename=file_name;\npfilename=parent_file_name;\npcmdline=parent_cmd_line;\nfilepath=file_path;\npfilepath=parent_file_path;\n___REGEXP_EXTRACT_10 [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10003","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,pid,k8snodeid,uuid,file_gid_name,sid,uid,file_gid,k8snodename,cmdline,pfilename,filepath,euid_name,egroup_na [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10004","type":"script","value":"___lower_cmdline_10096=lower(cmdline);\n___REGEXP_REPLACE_10042=REGEXP_REPLACE(___lower_cmdline_10096,'\\s+',' ');\nstd_cmdline=___REGEXP_REPLACE_10042;rm('___REGEX [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10005","type":"script","value":"retainField(k8spodname,file_path,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file_gid,k8snodename,cmdline,pfilename,f [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10006","type":"script","value":"___lower_std_cmdline_10001=lower(std_cmdline);\n___concat_10030=concat(std_cmdline,std_pcmdline);\n___lower_cmdline_10097=lower(cmdline);\n","version":"1.0","extend [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10002&&&&{"expressionStr":"((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((___lower_std_cmdline_10001,like,'%base%')|(std_pfilepath,like,'%bin/cron%'))|(std_pfilepath,like,'%bin/atd%'))|(std_pfilepath,like,'%bin/anacron%'))|((std_pfilename,like,'python%')&(((((std_cmdline,regex,'(/dev/shm/\\.)|(/tmp/\\.)')|(std_cmdline,regex,'((\\s+|/|^)history.*?-c)|((echo.*?>|rm\\s+).*?(/log/wtmp|\\. [...]
-dipper.private.blink.rules&&&&express&&&&11061&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11060\",\"10994\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11060&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11059\",\"10993\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11063&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10995\",\"11062\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11062&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10996\",\"10997\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11065&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11064\",\"10998\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11064&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11061\",\"11063\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11108&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11107\",\"11041\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11107&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11106\",\"11040\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11109&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11108\",\"11042\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11067&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11066\",\"11000\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11100&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11099\",\"11033\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11066&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11065\",\"10999\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11069&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11068\",\"11002\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11102&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11101\",\"11035\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11068&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11067\",\"11001\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11101&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11100\",\"11034\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11104&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11103\",\"11037\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11103&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11102\",\"11036\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11106&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11105\",\"11039\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11105&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11104\",\"11038\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11070&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11069\",\"11003\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11072&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11071\",\"11005\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11071&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11070\",\"11004\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11074&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11073\",\"11007\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11073&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11072\",\"11006\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11076&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11075\",\"11009\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11075&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11074\",\"11008\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11078&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11077\",\"11011\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11111&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11110\",\"11044\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11077&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11076\",\"11010\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11110&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11109\",\"11043\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11113&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11112\",\"11046\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11079&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11078\",\"11012\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11112&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11111\",\"11045\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11041&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TVFYVr4IjZhHXMXYFZKw3A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11040&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HNlsfmzcq3GV3t2PVg3axqOxuRCR23HjZ7X2OMuHAds="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11043&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hfP7cxvb2y9TYGol7rxbVw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11042&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3aVwh7FsRE5E32EX8ohSFA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10998&&&&{"aesFlag":1,"varName":"std_pfilename","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LMx96lEt0ofMQatz3hW9JA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10997&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"uaVPWG3+kMJsrVfkKA4gKr+Rb+eJo7anWrwk31gUv2ShqivMTT/ZmlNjhqNK65NqtzUhByv4FmURtuPBusRxdEUgdT68SVaFrDvvwrMWyEQfjQGScRxCEZ0nN8Lijeb7"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10999&&&&{"aesFlag":1,"varName":"pcmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ufdKNE+MoBQmTicJrrpOmBCUKI+jGUIBKuBHTLBU9ng="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10990&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+Avnh0zoiCv4arP4n2otmhJIJuuvTbHuyL1LzGm+HOQrPIuSCsoz5yzSJmxvGHd1BcIRWb8BT4MU9vaD6vId13SS+AFiPGQ0kjUpabMGGla0ns2l0sv/vaU1M9+ZiAM2tOPkViMXzB0klCfF1zgKL3iSiC+fpbA8wCPkSNVbhNbsCfI3rk620OtCBTxDt6Dioh/fyZQCcHspwbCjB76JwvQpJzdLECWvub [...]
-dipper.private.blink.rules&&&&express&&&&11045&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Fh76UkPOBYxrDlIGKhLy3g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11044&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"GPf/PJUXzl7O8JEk0vEK4g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10992&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vcUI9S5P7PIch7ciybbDkg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11047&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10975\",\"10976\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10991&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HJRJmcYwRPmV4nEtVMMUJQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11046&&&&{"aesFlag":1,"varName":"___lower_cmdline_10097","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"o++L7/E2+XPNgEU7s7lIxnUlN3vGoLG/pi30BCLejvTGqEgTfQLC+ZPi4j4vQk4Q"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10994&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"MDel7t10CZtS8skhcN0HUw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11049&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11048\",\"10978\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10993&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"h9XkyXTTRMlmWnvVoZ8Txg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11048&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11047\",\"10977\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10996&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"dj6zdMkh+IFsV1dra3+B5kQhRDrC7IjEFE4xZ21BSerROIrdrpATclVeqXVxEPm2y/aKFVUAwobUtc3JbRG7MNv/bxqE3fox9RTWbs8fCgDIKfeTqJEQFvAmnfoRBtmS"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10995&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BH5m6/QqWV5ojuMXWOcdAA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11050&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10980\",\"10981\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11052&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11051\",\"10983\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11051&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11050\",\"10982\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11054&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"10979\",\"11053\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11053&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11052\",\"10984\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11056&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11055\",\"10989\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11055&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11049\",\"11054\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11058&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11057\",\"10991\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11057&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11056\",\"10990\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11059&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11058\",\"10992\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11021&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bMLK6lJHuLR2KQlAMGB4pg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11020&&&&{"aesFlag":1,"varName":"___concat_10030","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WI7OXqpILJMlBJa9txI8ke/M4tL2bm5DrYE7ERsWzPGEZs34h7BANHJutJKBUW4wE98d2NjZglq2AzGj7fzU+QHUvKHuBAbM3VZo3c0VcVU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10976&&&&{"aesFlag":1,"varName":"std_pfilepath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bSzz+k//aB+n/eoa8WLr9g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10975&&&&{"aesFlag":1,"varName":"___lower_std_cmdline_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bu0RJCYz/VtkFu5QJ45CLg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10978&&&&{"aesFlag":1,"varName":"std_pfilepath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BFK7XklNgAGkRWWL/JMKow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10977&&&&{"aesFlag":1,"varName":"std_pfilepath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zCTZGfH1iVMGCEBammSdBg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10979&&&&{"aesFlag":1,"varName":"std_pfilename","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8YDipxdTx/8MQtmb2pwsWw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11023&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ptbEPNACThGbQkGr7c3rRA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11022&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"lWDiKLo2Q5XAqZFh1JY/Gw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11025&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"cs5iZ30xVZIaEg8QmZjtsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11024&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"IzssAnC1BMB2v9nA+q1aLg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11027&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"x3eOJ3c0H8bBTOFUKxUwvg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11026&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"a8J7a+jUDzyIBIJHLH+u0w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11029&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Kwsaze27qwsXPvQuRTYfEu1gKmFzli2phmlaqBBlHNWmlxKVXWYj/gDEMO5KS3ab"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11028&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"VAiHxpc6w/lOnT/goAtsDTvfaXX+C8kcLx8q5CRvJyGaPYYeZymPv7YkF714R3tU/eKAPDFvoijIGto0dsvR1D6rb/b6jMi7TwWA65tvw7CTBoDGBES/FkdmEN1Mu16DZFTuO63W/3VIV7PV/4nmDAZD4GP+Km861y47b3hq/0SvMpCAlRYvyoO0FiX1TulB"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11030&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bXnk9N2uamEoUq5sap8AIXyj8kJ9uBvkPoXwL1Cu0cP9v0u93QmppOp33gXvFof5QGewMH4SgR+eXDKDc3SNbSgaOZ220e3K/nOGZWK3aX4oDRM1mOnCg8wvKhxBbHsCuApPSFGbX9xwyETNtdEcu7GwWXChO0oNM2uEGvN/WnYrrC6ArlXfkVM6l8kIcHNN"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11032&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rYmripZ9v8codAeoVXJQcVwaGLu+C6VdwfhFcoaiUq52UP3mDMG/cDoTrYFQH98Ak8nRpfzj7ru1AOC7K7HYm1flQf0KIDYGVDF0ClfhtuQ="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11031&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fILg2Kj3NyWuwT9VD2DAFiZ9n0Y6S6nBEKd7FHWM0FIaujiDRWF9ehTvDIqBPA2uy4500rRtM/18U7Mu4Ui5/Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10987&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"l9TYEZNEgx5Smq8tuUUy9g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10986&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"nJBjprx929aA/lZbLSUXqw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10989&&&&{"aesFlag":1,"varName":"std_pfilename","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wjmOwzecnEg3F05hLnwG0A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10988&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UqIEA0mgyxPygn9s2M18j6t59zr/GOjLa11h/KtCj5o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11034&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Y88XpK8iIbsDDSWzTVe7Jw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11033&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1KmXvvnf4K31Gqbgz2NV7uc/hg4HlDe4eTJKNvbV0GF3kAhCNo6LKuf00QtKVIrQctutB+xGlGMw4I+ZdQIW7PiBFADSFxA+50YY+jOXtVzTlxNLbEQwUl5gGHUT0iSm"}&&&&null
-dipper.private.blink.rules&&&&express&&&&10981&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2wGev09h1x35RIPn5hr0zOfGMvLhLCkyFXeXXUme7ornvsWCoR31uKyTaGbsEZTRra4DoUzioTPaKzh1dIhrc4KiOpEgKeiLhvtNMYZLZSmhzdycxECOXqOysb0myhnOfFGfSopx3hnMReSulU2tCURmJldZpWZowJhxdIuKsMflvGDBdavYBRrzELzc/ZkfGAvXV4Hfkqya9osNpKpsSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11036&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Z3evgG2VXwjmywr8m/at5Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10980&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"RgaZ+qq6ia8cXW/5TQ/hxbFKmLbxCrBqRkQcBiMzsa0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11035&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6K4xHNULGM0I19x+AyX8lmf9pIHBqC2U5C4NWKeaE5aNL8xPtICJ2X7/DyGonsruMRiYRzwSVAVZmEkSUU1WQw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10983&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bXnk9N2uamEoUq5sap8AId8I0BKuewpjnMMhC8cCcKkNjSCLj2tJFtU/uZU41VGCSJp/wF/uQlMMMl0FQxiQB6lc/acMHJ/1VaWHQ0hFKeBzweX5xlJYcKtXOMpLF4H0L8emqzfxAs6vJKAvLAGR0BvZVji32jUeqEPooutYIy8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11038&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"FaqlXF+NjGPqjsQY1Fs1NQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10982&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"v46lbaznhI5nGyi690SeDifWsx7dIadFxNKGEth1SW5VromxcyKwl1hUdWFUBH24iZ71uhFfavbHknZuPUG64KJheSt/mtX3sOZ8qf7m8UhRLyuRj3kz03goi0yy+FMCBBY7fEKQv5w5cUqKGbzzqg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11037&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vQXfgUWX9KYmBuuiyI0Md0qBuWpbNLgIN4YLyICABmo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10985&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"k4ZCQo0F8fT0hS75Hd5sMg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&10984&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vSCxbCf398GrT+LaONPqXqD73IocQLKKBiv0FlAUO4yJ1Abh4Hyb17cGyKxmCxS9IAh6MGwdpJcWE/r5CLHFfsvWZD+VgHrlNwtjheaFLzoGY6meQHhRap7Ei6BHhRjPKrP5MP6gdC7W6EfC2E/E3n9ubhmq8zPRMMigkRqCMI+ZstifizoxAiEEUu4vCzIz"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11039&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vQXfgUWX9KYmBuuiyI0Md0qBuWpbNLgIN4YLyICABmo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11081&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11080\",\"11014\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11080&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11079\",\"11013\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11083&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11082\",\"11016\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11082&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11081\",\"11015\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11085&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11084\",\"11018\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11084&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11083\",\"11017\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11087&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11086\",\"11020\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11086&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11085\",\"11019\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11009&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ceQQ+T4hhIWo+KzjYIEwbw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11008&&&&{"aesFlag":1,"varName":"pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5XhiYhbSK5u+DDqvTDrrFw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11001&&&&{"aesFlag":1,"varName":"filepath","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"agzS9KWiGz89vU+v1X8JfQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11089&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11088\",\"11022\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11000&&&&{"aesFlag":1,"varName":"cwd","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"agzS9KWiGz89vU+v1X8JfQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11088&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11087\",\"11021\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11003&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QknOB+ql9NKXvVsEoLQUqg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11002&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9vmtEK+LW6oqgtoNGXri/B/7PMPU8QTLCVLoqwyIFYk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11005&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QknOB+ql9NKXvVsEoLQUqg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11004&&&&{"aesFlag":1,"varName":"std_pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9vmtEK+LW6oqgtoNGXri/B/7PMPU8QTLCVLoqwyIFYk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11007&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KSGb4IrIYtMpRcbj2FK08g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11006&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HpGAXMP8jdcBm0ggnkqXH11+JNPLI9FePdCx63hvvNpPD7eFb0h8x4G9D9T8mZhWKt8PUIb2QwQwqjx7BVxYhIb+TrGkjVzAC//OfX4kEkUV0dwiTK1dr+KSO35OeRkvxbk0NoIhV4lDXKwHfuoEcNU5zdbO8pUrju6y6P62EJCfgRDF9hN2TD2loaj9BDVl"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11092&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11091\",\"11025\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11091&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11090\",\"11024\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11094&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11093\",\"11027\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11093&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11092\",\"11026\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11096&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11095\",\"11029\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11095&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11094\",\"11028\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11010&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JCQ+ifFXeLkOYGxkDn1AYA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11098&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11097\",\"11031\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11097&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11096\",\"11030\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11090&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11089\",\"11023\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11019&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KAk1x/4nGha+x4Yf00SdMwnbpEPiL9++eM4vQxiKAPg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11012&&&&{"aesFlag":1,"varName":"pcmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6WxBwqGTqeFcYf1pipmKcfp81FzKpmmcpIHdilKDpPU="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11011&&&&{"aesFlag":1,"varName":"cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"OBxJlsIL2EcTonXa+/dNQg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11099&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11098\",\"11032\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11014&&&&{"aesFlag":1,"varName":"std_pfilename","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0Q/1PBEDqr60PMbIRqKfYBWb5Vpg724nza7Y8cu27MZA8m6LXl1qWUoDYfqjtJbkk3bodVs2fpbffZEOXKg2dA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11013&&&&{"aesFlag":1,"varName":"std_pfilename","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"cjWGDo2eA5+zrRhIdflopA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11016&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"QXEC0iMe0Y01pb3zIrNY3w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11015&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"oGJJ1tOpdY/BzLXTcOKznjzexr9upC5+357GQpnbk4p8p+LnmhsdaPfCMlhF3WPqyaE4uxZ8VJBXYVxYKPLGZg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11018&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UlheacR+WhpMm1PDPVxkCA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11017&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BnbZj5gSeJIwCZz2/gPDog=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10007","type":"script","value":"retainField(k8spodname,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file_gid,k8snodename,pfilename,cmdline,filepath,st [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aegis.proc_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10001_script_10001","type":"script","value":"___regexp_10469=regex(cmdline,'virustotal\\.com|hostname');\n___compare_10225=equals(___regexp_10469,false);\n___regex [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10001_script_10002","type":"script","value":"retainField(k8spodname,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file [...]
-dipper.private.blink.rules&&&&pipline&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"subpipline_blink.source.aegis.proc_ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10002_script_10001","type":"script","value":"___regexp_10545=regex(std_pfilename,'^postgres');\n___regexp_10546=regex(std_cmdline,'(/dev/shm/\\.)|(/tmp/\\.)');\n__ [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_blink.source.aegis.proc_sas_linux_alert_proc_cmd_union_10002_script_10002","type":"script","value":"retainField(k8spodname,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10008","type":"script","value":"___unixtime_10020=unixtime(scan_time,'yyyy-MM-dd HH:mm:ss');\n___division_10016=division(___unixtime_10020,3600);\n___floor_10007=floor(___division_10016);\n___cast [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10009","type":"script","value":"retainField(k8spodname,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file_gid,k8snodename,pfilename,cmdline,filepath,st [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10010","type":"script","value":"___!null_10037=!null(event_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10003&&&&{"expressionStr":"___!null_10037&(event_name,!in,'\\'\\',\\'N/A\\'')","scriptNames":"[]","expressionName":"11115","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionName [...]
-dipper.private.blink.rules&&&&express&&&&11115&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10037\",\"11114\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11114&&&&{"aesFlag":1,"varName":"event_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TVEW40h+v56CrjMCEeE0Kg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10011","type":"script","value":"___concat_10033=concat(std_cmdline,std_filename,std_pfilepath,std_pcmdline);\n___regexp_10591=regex(___concat_10033,'dracut-install|aliyun-assist|/gcc/|virustotal|a [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10012","type":"script","value":"retainField(is_white,k8spodname,dockerimageid,gid,perm,std_filepath,pid,k8snodeid,uuid,std_pfilename,file_gid_name,sid,uid,file_gid,k8snodename,pfilename,cmdline,fi [...]
-dipper.private.blink.rules&&&&rule&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10004&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"11116","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11116&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10013","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name=event_name;\nlevel='high';\n___cast_10581=cast(uuid,'string');\n___cast_10582=cast(scan_time,'string'); [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10014","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_script_10015","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc_sas_linux_alert_proc_cmd_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink.source.aegis.proc_sas_linux_alert_proc_cmd_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogG [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.proc&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"blink.source.aegis.proc_script_10001\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.so [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.proc;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.proc;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.source.aegis.proc.tags","syncTimeout":"5000","groupName":"blink.source.aegis.proc.group","isBatchMessage":"true","isAutoFlush":"false", [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.proc_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.proc_script_10001","type":"script","value":"aliUid=JSON_VALUE (meta_conf, '$.aliUid');logContent=data;logTime=now();inner_message();splitArray('logContent');scan_time=coalesce(time,'N/A');uid=coalesce(uid,'N/A');uid_name=coalesce(username,'N/A');euid=coalesc [...]
-dipper.private.blink.rules&&&&pipline&&&&windows_reg_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"windows_reg_alert_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\\\\\\\"dwd_yunsec_host_aegis_window_regedit_stre [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert;json_concat_10014&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert;json_concat_10014","type":"script","version":"1.0","closeMethodName":"close","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert;json_array_parse_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.aliyun.isec.seraph.udtf.JsonArrayParser","initMethodName":"open","functionName":"json_array_parse","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"windows_reg_alert;json_array_parse_10001","type":"script","version":"1.0","isURL":"false","nameSpace":"dipper.private.blink.rules","close [...]
-dipper.private.blink.rules&&&&channel&&&&windows_reg_alert&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"windows_reg_alert","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"windows_reg_alert","isBatchMessage":"true","isAutoFlush":"false","maxFetchLogGroupSize":"100","syncCount":"1000","outputThreadCount":"-1","nameS [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10001","type":"script","value":"___JSON_ARRAY_PARSE_10001=JSON_ARRAY_PARSE(data,'proc_cmd','proc_path','key_path','pid','time','ppid');m.proc_cmd=udtf.0;m.proc_path=udtf.1;m.key_path=udtf.2;m.pid=udtf.3;m.time=udtf.4;m.ppid=udtf.5;","version":"1.0","extendFi [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10002","type":"script","value":"trace_id=traceId;\n___json_get_10095=json_get(meta_conf,'$.gcLevel');\ngc_level=___json_get_10095;rm('___json_get_10095');\n___json_get_10096=json_get(meta_conf,'$.aliUid');\nali_uid=___json_get_10096;rm('___json_get_10096');\ [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10003","type":"script","value":"ppid=m.ppid;\nkey_path=m.key_path;\ntime=m.time;\nproc_cmd=m.proc_cmd;\nproc_path=m.proc_path;\npid=m.pid;\nretainField(app,ppid,trace_id,buy_aegis,app_version,ip,safe_mode,key_path,type,uuid,version,time,ali_uid,buy_sas,proc_ [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10004","type":"script","value":"___lower_key_path_10001=lower(key_path);\n___regexp_10592=regex(key_path,'InprocServer32|LocalServer32|InprocServer|LocalServer');\nif((key_path,like,'%PowerShell\\ScriptBlockLogging%')){___case_10149='hkey_powershell_block';} [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10005","type":"script","value":"retainField(app,trace_id,proc_cmd,buy_aegis,app_version,ip,safe_mode,proc_path,pid,type,uuid,version,ppid,ali_uid,buy_sas,key_path,time,gc_level,seq,label);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10006","type":"script","value":"___!null_10038=!null(label);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&windows_reg_alert_rule_10001&&&&{"expressionStr":"(___!null_10038)","scriptNames":"[]","expressionName":"11118","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11118&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11117\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11117&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10038\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10007","type":"script","value":"retainField(app,trace_id,proc_cmd,buy_aegis,app_version,ip,safe_mode,proc_path,pid,label,type,uuid,version,ppid,ali_uid,buy_sas,key_path,time,gc_level,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10008","type":"script","value":"___!_10071=!((proc_path,like,'%Trend Micro/%/TmListen.exe%'));\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&windows_reg_alert_rule_10002&&&&{"expressionStr":"(___!_10071)","scriptNames":"[]","expressionName":"11120","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11119&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10071\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11120&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11119\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10009","type":"script","value":"___in_10090=contain(label,'hkey_defender')\n;___concat_10035=concat(proc_cmd,proc_path);\n___lower____concat_10035_10001=lower(___concat_10035);\n___in_10091=contain(label,'hkey_defender')\n;___concat_10036=concat(proc_cmd,pro [...]
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10010","type":"script","value":"retainField(app,trace_id,proc_cmd,buy_aegis,app_version,ip,safe_mode,proc_path,pid,label,type,uuid,version,ppid,ali_uid,buy_sas,key_path,time,gc_level,seq,alert_task_name);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10011","type":"script","value":"___!null_10041=!null(alert_task_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&windows_reg_alert_rule_10003&&&&{"expressionStr":"(___!null_10041)","scriptNames":"[]","expressionName":"11122","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11122&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11121\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11121&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10041\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10012","type":"script","value":"retainField(app,trace_id,proc_cmd,buy_aegis,app_version,ip,safe_mode,proc_path,pid,label,alert_task_name,type,uuid,version,ppid,ali_uid,buy_sas,key_path,time,gc_level,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_reg_alert_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_reg_alert_script_10013","type":"script","value":"retainField(app,trace_id,proc_cmd,buy_aegis,app_version,ip,safe_mode,proc_path,pid,label,alert_task_name,type,uuid,version,ppid,ali_uid,buy_sas,key_path,time,gc_level,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10001&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10001_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10001_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_run_from_root\\''","scriptNames":"[]","expressionName":"11123","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10001_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11123&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fbQAtwZSw9S4GWSTkKdCFDBoPFzjQvWt3boQSF0SGec="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10001_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10001_script_10001","type":"script","value":"___cast_10629=cast(null_10014,'string');\nclient_ip=___cast_10629;rm('___cast_10629');\nevent_type='进程异常行为';\nevent_name='修改Windows注册表自启动项';\nlevel='high';\n___cast_10630=cast(proc [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10001_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10001_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10002&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10002_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10002_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_user_logon_trigger\\''","scriptNames":"[]","expressionName":"11124","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10002_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11124&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"RbcVVSweeHoecAucQldJ0/tqocCsISkoaG+7JEDZcUM="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10002_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10002_script_10001","type":"script","value":"___cast_10635=cast(null_10015,'string');\nclient_ip=___cast_10635;rm('___cast_10635');\nevent_type='进程异常行为';\nevent_name='通过Windows注册表修改用户登录配置';\nlevel='high';\n___cast_10636=cast( [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10002_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10002_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10003&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10003_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10003_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_defender_ps\\''","scriptNames":"[]","expressionName":"11125","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10003_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11125&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"IPYM38C/IOMAL3hzz89e5uJ8QqLWqADbdmLWhXvqOEc="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10003_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10003_script_10001","type":"script","value":"___cast_10641=cast(null_10016,'string');\nclient_ip=___cast_10641;rm('___cast_10641');\nevent_type='进程异常行为';\nevent_name='Windows Defender配置修改_紧急';\nlevel='high';\n___cast_10642=ca [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10003_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10003_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10004&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10004_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10004_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_defender_other\\''","scriptNames":"[]","expressionName":"11126","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10004_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11126&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"/PAIOo0j1K5S+H5MuPeRMeJ4i3RL55iENQ6o0bwBUpI="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10004_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10004_script_10001","type":"script","value":"___cast_10647=cast(null_10017,'string');\nclient_ip=___cast_10647;rm('___cast_10647');\nevent_type='进程异常行为';\nevent_name='Windows Defender配置修改_提醒';\nlevel='high';\n___cast_10648=ca [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10004_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10004_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10005&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10005_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10005_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_control_wdigest_common\\''","scriptNames":"[]","expressionName":"11127","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10005_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11127&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"gTbD0sj2xCNjBc8NAJYASWlzSx8U7VLTHKBVUnDBxlA="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10005_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10005_script_10001","type":"script","value":"___cast_10653=cast(null_10018,'string');\nclient_ip=___cast_10653;rm('___cast_10653');\nevent_type='进程异常行为';\nevent_name='Windows登录凭证窃取';\nlevel='high';\n___cast_10654=cast(proc_cm [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10005_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10005_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&pipline&&&&subpipline_windows_reg_alert_union_10006&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"names\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"subpipline_windows_reg_alert_union_10006_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\": [...]
-dipper.private.blink.rules&&&&rule&&&&subpipline_windows_reg_alert_union_10006_rule_10001&&&&{"expressionStr":"alert_task_name,in,'\\'hkey_image_hijack_debugger\\''","scriptNames":"[]","expressionName":"11128","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10006_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11128&&&&{"aesFlag":1,"varName":"alert_task_name","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vxuFqmZe0cLC5qwj7UdwRWYRKwhvdoU0ezVD+a8NA0U="}&&&&null
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10006_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10006_script_10001","type":"script","value":"___cast_10659=cast(null_10019,'string');\nclient_ip=___cast_10659;rm('___cast_10659');\nevent_type='进程异常行为';\nevent_name='Windows映像劫持';\nlevel='high';\n___cast_10660=cast(proc_cmd, [...]
-dipper.private.blink.rules&&&&script&&&&subpipline_windows_reg_alert_union_10006_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"subpipline_windows_reg_alert_union_10006_script_10002","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&windows_reg_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"windows_reg_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCount":"1000","nameSpace":"dipper.private [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.direct.source.aegis_reg&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.direct.source.aegis_reg.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\\\\":\\\\\\\"com.ali [...]
-dipper.private.blink.rules&&&&channel&&&&blink.direct.source.aegis_reg;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.direct.source.aegis_reg;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.direct.source.aegis_reg.tags","syncTimeout":"5000","groupName":"blink.direct.source.aegis_reg.group","isBatchMessage":"true [...]
-dipper.private.blink.rules&&&&pipline&&&&sas_linux_alert_client_reverse_shell&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"sas_linux_alert_client_reverse_shell_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\\\\\\\"mq_ [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell;SplitString_10001&&&&{"setCollectorMethodName":"setCollector","fullClassName":"com.sas.zing.blink.udf.SplitString","initMethodName":"open","functionName":"SplitString","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udtf.BlinkUDTFScript","configureName":"sas_linux_alert_client_reverse_shell;SplitString_10001","type":"script","version":"1.0","isURL":"false","nameSpace":"dipper.private.blink [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell;json_concat_10015&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell;json_concat_10015","type":"script","version":"1.0","closeMethodName":"close","ext [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell;ReverseShellFD_10001&&&&{"fullClassName":"com.sas.zing.blink.udf.ReverseShellFD","initMethodName":"open","functionName":"ReverseShellFD","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell;ReverseShellFD_10001","type":"script","version":"1.0","closeMethodName":"clo [...]
-dipper.private.blink.rules&&&&channel&&&&sas_linux_alert_client_reverse_shell&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"sas_linux_alert_client_reverse_shell","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BASHSHELL","syncTimeout":"5000","groupName":"sas_linux_alert_client_reverse_shell","pullIntervalMs":"100","isBatchMessage":"tr [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10001","type":"script","value":"log_content=data;\n___json_get_10099=json_get(meta_conf,'$.aliUid');\naliUid=___json_get_10099;rm('___json_get_10099');\nlog_protocol_type=type;\n___now_10002=now();\n___fromunixtime_10003 [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10002","type":"script","value":"retainField(sls_time,app_version,log_protocol_type,aliUid,log_content,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&sas_linux_alert_client_reverse_shell_rule_10001&&&&{"expressionStr":"log_protocol_type,==,'T_MSG_BASHSHELL'","scriptNames":"[]","expressionName":"11129","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11129&&&&{"aesFlag":1,"varName":"log_protocol_type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"t9ibOFmrc6H0cLcIbwDcZQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10003","type":"script","value":"___uuid_10005=uuid();\nunique_id=___uuid_10005;rm('___uuid_10005');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10004","type":"script","value":"retainField(unique_id,sls_time,app_version,log_protocol_type,aliUid,log_content,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10005","type":"script","value":"retainField(unique_id,sls_time,app_version,log_protocol_type,aliUid,log_content,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&sas_linux_alert_client_reverse_shell_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"sas_linux_alert_client_reverse_shell_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCou [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10006","type":"script","value":"___splitindex_10007=splitindex(app_version,'_',1);\n___splitindex_10008=splitindex(app_version,'_',2);\n___concat_10038=concat(___splitindex_10007,___splitindex_10008);\n___cast_10665=cast [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10007","type":"script","value":"retainField(unique_id,sls_time,app_version,aliUid,log_content,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10008","type":"script","value":"___compare_10257=greateeq(app_version,'1085');\n___REVERSESHELLFD_10001=REVERSESHELLFD(log_content,'new');\n___REVERSESHELLFD_10002=REVERSESHELLFD(log_content,'old');\nif(___compare_10257) [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10009","type":"script","value":"retainField(res,unique_id,sls_time,app_version,aliUid,log_content,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&sas_linux_alert_client_reverse_shell_rule_10002&&&&{"expressionStr":"res,<>,''","scriptNames":"[]","expressionName":"11130","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11130&&&&{"aesFlag":1,"varName":"res","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10010","type":"script","value":"___splitindex_10009=splitindex(res,'@@@',0);\ncontainer_name=___splitindex_10009;rm('___splitindex_10009');\n___splitindex_10010=splitindex(res,'@@@',1);\ncontainer_image_id=___splitindex_ [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10011","type":"script","value":"retainField(unique_id,container_image_id,k8s_cluster_id,sls_time,app_version,k8s_pod_name,uuid,dst_ip,layer,k8s_node_name,found_out,cmdline,container_name,p_info,dst_port,aliUid,log_conten [...]
-dipper.private.blink.rules&&&&rule&&&&sas_linux_alert_client_reverse_shell_rule_10003&&&&{"expressionStr":"found_out,==,'1'","scriptNames":"[]","expressionName":"11131","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11131&&&&{"aesFlag":1,"varName":"found_out","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10012","type":"script","value":"___concat_10039=concat(dst_ip,dst_port,cmdline);\nabk_raw=___concat_10039;rm('___concat_10039');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10013","type":"script","value":"retainField(unique_id,container_image_id,k8s_cluster_id,sls_time,app_version,k8s_pod_name,uuid,dst_ip,layer,k8s_node_name,found_out,cmdline,container_name,p_info,dst_port,aliUid,log_conten [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10014","type":"script","value":"uuid=uuid;\nali_uid='';\nclient_ip='';\nevent_type='进程异常行为';\nevent_name='反弹shell_fd';\nlevel='high';\n___cast_10666=cast(dst_ip,'string');\n___cast_10667=cast(dst_port,'string');\n___cast [...]
-dipper.private.blink.rules&&&&script&&&&sas_linux_alert_client_reverse_shell_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"sas_linux_alert_client_reverse_shell_script_10015","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&sas_linux_alert_client_reverse_shell_channel_10002&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"sas_linux_alert_client_reverse_shell_channel_10002","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCou [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.direct.source.aegis_client_origin&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.direct.source.aegis_client_origin.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\ [...]
-dipper.private.blink.rules&&&&channel&&&&blink.direct.source.aegis_client_origin;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.direct.source.aegis_client_origin;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.direct.source.aegis_client_origin.tags","syncTimeout":"5000","groupName":"blink.direct.source.aegis_cli [...]
-dipper.private.blink.rules&&&&pipline&&&&windows_eventlog_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"windows_eventlog_alert_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlNodeTableName\\\\\\\":\\\\\\\"eventlog_input_patch_eventid\\\ [...]
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert;json_concat_10016&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert;json_concat_10016","type":"script","version":"1.0","closeMethodName":"close","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&windows_eventlog_alert&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"windows_eventlog_alert","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"windows_eventlog_alert","isBatchMessage":"true","isAutoFlush":"false","maxFetchLogGroupSize":"100","syncCount":"1000","outputThreadCou [...]
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10001","type":"script","value":"___json_get_10100=json_get(meta_conf,'$.aliUid');\naliUid=___json_get_10100;rm('___json_get_10100');\n___json_get_10101=json_get(data,'$.raw_xml');\nraw_xml=___json_get_10101;rm('___json_get_10101');\n___json_get_101 [...]
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10002","type":"script","value":"retainField(raw_xml,channel,app,traceId,meta_conf,app_version,data,ip,safe_mode,type,uuid,version,seq,aliUid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10003","type":"script","value":"___REGEXP_EXTRACT_10011=REGEXP_EXTRACT(raw_xml,'\\<EventID\\>(\\d+)\\<\\/EventID\\>',1);\nevent_id=___REGEXP_EXTRACT_10011;rm('___REGEXP_EXTRACT_10011');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10004","type":"script","value":"retainField(event_id,app,traceId,meta_conf,app_version,data,raw_xml,ip,safe_mode,channel,type,uuid,version,aliUid,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10005","type":"script","value":"___compare_10258=equals(event_id,'4720');\n___compare_10259=equals(event_id,'4722');\n___compare_10260=equals(event_id,'4726');\n___compare_10261=equals(event_id,'4732');\n___compare_10262=equals(event_id,'4733');\n_ [...]
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10006","type":"script","value":"retainField(app,traceId,meta_conf,app_version,data,raw_xml,ip,safe_mode,channel,type,uuid,version,event_id,aliUid,seq,label);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10007","type":"script","value":"___!null_10042=!null(label);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&windows_eventlog_alert_rule_10001&&&&{"expressionStr":"(___!null_10042)","scriptNames":"[]","expressionName":"11133","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11133&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11132\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11132&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10042\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10008","type":"script","value":"retainField(app,traceId,meta_conf,app_version,data,raw_xml,ip,safe_mode,channel,label,type,uuid,version,event_id,aliUid,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10009","type":"script","value":"___REGEXP_EXTRACT_10012=REGEXP_EXTRACT(raw_xml,'TargetUserName[\\s\\S]*?\\>\\s*?([^\\<]*?)\\s*?\\<',1);\n___lower____REGEXP_EXTRACT_10012_10001=lower(___REGEXP_EXTRACT_10012);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&windows_eventlog_alert_rule_10002&&&&{"expressionStr":"(label,in,'\\'evt_user_enabled\\'')&(___lower____REGEXP_EXTRACT_10012_10001,like,'%guest%')","scriptNames":"[]","expressionName":"11136","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11135&&&&{"aesFlag":1,"varName":"___lower____REGEXP_EXTRACT_10012_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"6+/CEgfAE5XfqU7j6X2aVA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11134&&&&{"aesFlag":1,"varName":"label","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HzqPYs1HxLiLowVI3oTE4+eZpFytiFGDP4d9xJwjx/s="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11136&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11134\",\"11135\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10010","type":"script","value":"retainField(app,traceId,meta_conf,app_version,data,raw_xml,ip,safe_mode,channel,label,type,uuid,version,event_id,aliUid,seq);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10011","type":"script","value":"ali_uid=aliUid;\n___cast_10682=cast(null_10021,'string');\nclient_ip=___cast_10682;rm('___cast_10682');\nevent_type='进程异常行为';\nevent_name='Windows Guest账号激活';\nlevel='low';\n___REGEXP_EXTRACT_10013=REGEXP_EXTRACT(raw [...]
-dipper.private.blink.rules&&&&script&&&&windows_eventlog_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"windows_eventlog_alert_script_10012","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&windows_eventlog_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"windows_eventlog_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCount":"1000","nameSpace":"dipp [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.direct.source.aegis_eventlog&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.SubPiplineChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"filterMsgSwitch\\\\\\\":\\\\\\\"blink.direct.source.aegis_eventlog.filter.switch\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"className\\\\\\\":\\\\\ [...]
-dipper.private.blink.rules&&&&channel&&&&blink.direct.source.aegis_eventlog;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.direct.source.aegis_eventlog;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.direct.source.aegis_eventlog.tags","syncTimeout":"5000","groupName":"blink.direct.source.aegis_eventlog.group","i [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfter [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4;json_concat_10017&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crac [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_LOGIN_INFO","syncT [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10001","type":"script","value":"retainField(src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_use [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994986574;8&&&&{"indexs":"[\"account_name\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994986574;8","userName":"blink.source.aegis.login.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.url","sql":"select account_name from brute_force_suspicious_account limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.passwor [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10002","type":"script","value":"___dim_10008=left_join('dipper.private.blink.rules','30.240.98.174;1616994986574 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10003","type":"script","value":"account_name=p.account_name;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10004","type":"script","value":"retainField(account_name,src_ip,port,success,ip,count,pid,type,uuid,user,log_tim [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10005","type":"script","value":"rule_type='1';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10006","type":"script","value":"retainField(rule_type,src_ip,port,success,account_name,ip,count,pid,type,uuid,us [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994986575;9&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994986575;9","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.acc [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10007","type":"script","value":"___dim_10009=left_join('dipper.private.blink.rules','30.240.98.174;1616994986575 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10008","type":"script","value":"___json_get_10103=json_get(p.content,'$.winsize');\n___cast_10683=cast(___json_g [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10009","type":"script","value":"retainField(fail_times,ip,count,pid,type,uuid,log_time,src_ip,rule_type,port,suc [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10001&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11137","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10001","ruleStatus":"0","type": [...]
-dipper.private.blink.rules&&&&express&&&&11137&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_window_10001&&&&{"groupByFieldName":"type;src_ip;uuid;user;ip;port;winsize;fail_times","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_window_10001","type":"windo [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10010","type":"script","value":"retainField(succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10011","type":"script","value":"__compare_value_10008=!((src_ip,regex,'^127\\.'))\n;___!null_10043=!null(account [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10002&&&&{"expressionStr":"(__compare_value_10008&(succ_cns,>,double,0))&___!null_10043","scriptNames":"[]","expressionName":"11140","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_aler [...]
-dipper.private.blink.rules&&&&express&&&&11140&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11139\",\"___!null_10043\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11139&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10008\",\"11138\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11138&&&&{"varName":"succ_cns","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10012","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10013","type":"script","value":"retainField(country,province,city,succ_cns,ip,winsize,type,uuid,log_time,src_ip, [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10014","type":"script","value":"retainField(country,succ_cns,city,ip,winsize,type,uuid,log_time,src_ip,winStart, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10003&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11141","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10003","ruleStatus":"0","type":"rule" [...]
-dipper.private.blink.rules&&&&express&&&&11141&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10015","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被可疑账号登录成功(SSH)';\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10016","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10004&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11142","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_rule_10004","ruleStatus":"0","type":"rule" [...]
-dipper.private.blink.rules&&&&express&&&&11142&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10017","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被可疑账号登录成功(RDP)';\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10018","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10019","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_channel_10001&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_channel_10001","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tag [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_script_10020","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_channel_10002&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_account_alert_v4_channel_10002","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tag [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfig [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4;json_concat_10018&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_f [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_LOGIN_INFO","syncTimeout [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10001","type":"script","value":"retainField(src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);"," [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994988318;10&&&&{"indexs":"[\"account_name\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994988318;10","userName":"blink.source.aegis.login.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.url","sql":"select account_name from brute_force_suspicious_account limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.passw [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10002","type":"script","value":"___dim_10010=left_join('dipper.private.blink.rules','30.240.98.174;1616994988318;10',' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10003","type":"script","value":"account_name=p.account_name;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10004","type":"script","value":"retainField(account_name,src_ip,port,success,ip,count,pid,type,uuid,user,log_time,inva [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10005","type":"script","value":"rule_type='1';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10006","type":"script","value":"retainField(rule_type,src_ip,port,success,account_name,ip,count,pid,type,uuid,user,log [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994988318;11&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994988318;11","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10007","type":"script","value":"___dim_10011=left_join('dipper.private.blink.rules','30.240.98.174;1616994988318;11',' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10008","type":"script","value":"___json_get_10105=json_get(p.content,'$.winsize');\n___cast_10709=cast(___json_get_101 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10009","type":"script","value":"retainField(fail_times,ip,count,pid,type,uuid,log_time,src_ip,rule_type,port,success,a [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10001&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11143","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10001","ruleStatus":"0","type":"rule" [...]
-dipper.private.blink.rules&&&&express&&&&11143&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_window_10001&&&&{"groupByFieldName":"type;src_ip;uuid;user;ip;port;winsize;fail_times","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_window_10001","type":"window","ve [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10010","type":"script","value":"retainField(succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,account [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10011","type":"script","value":"__compare_value_10009=!((src_ip,regex,'^127\\.'))\n;___!null_10044=!null(account_name) [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10002&&&&{"expressionStr":"(__compare_value_10009&(succ_cns,==,double,0))&___!null_10044","scriptNames":"[]","expressionName":"11146","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_ [...]
-dipper.private.blink.rules&&&&express&&&&11144&&&&{"varName":"succ_cns","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11146&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11145\",\"___!null_10044\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11145&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10009\",\"11144\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10012","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10013","type":"script","value":"retainField(country,province,city,succ_cns,ip,winsize,type,uuid,log_time,src_ip,winSta [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10014","type":"script","value":"retainField(country,succ_cns,city,ip,winsize,type,uuid,log_time,src_ip,winStart,provin [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10003&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11147","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10003","ruleStatus":"0","type":"rule","vers [...]
-dipper.private.blink.rules&&&&express&&&&11147&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10015","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被可疑账号登录失败(SSH)';\nlevel [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10016","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_m [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10004&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11148","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_rule_10004","ruleStatus":"0","type":"rule","vers [...]
-dipper.private.blink.rules&&&&express&&&&11148&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10017","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被可疑账号登录失败(RDP)';\nlevel [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10018","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_m [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10019","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_m [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_channel_10001&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_channel_10001","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_script_10020","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_m [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_channel_10002&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_account_alert_v4_channel_10002","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_ [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshLis [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4;json_concat_10019&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_aler [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_LOGIN_INFO","syncTimeout":"5000","groupN [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10001","type":"script","value":"retainField(src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);","version":"1.0"," [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994990145;12&&&&{"indexs":"[\"account_name\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994990145;12","userName":"blink.source.aegis.login.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.url","sql":"select account_name from brute_force_suspicious_account limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.passw [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10002","type":"script","value":"___dim_10012=left_join('dipper.private.blink.rules','30.240.98.174;1616994990145;12','(user,==,account [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10003","type":"script","value":"account_name=p.account_name;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10004","type":"script","value":"retainField(account_name,src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);","ver [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10005","type":"script","value":"rule_type='2';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10006","type":"script","value":"retainField(rule_type,src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);","versio [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994990145;13&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994990145;13","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10007","type":"script","value":"___dim_10013=left_join('dipper.private.blink.rules','30.240.98.174;1616994990145;13','(rule_type,==,ru [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10008","type":"script","value":"___json_get_10109=json_get(p.content,'$.winsize');\n___cast_10737=cast(___json_get_10109,'int');\nwins [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10009","type":"script","value":"retainField(src_ip,rule_type,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user,winsize,se [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10001&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11149","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10001","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11149&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10010","type":"script","value":"___cast_10743=cast(invalid_user,'long');\n___compare_10281=equals(___cast_10743,1);\nif(___compare_102 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10011","type":"script","value":"retainField(src_ip,port,success,ip,count,type,uuid,invalid_users,log_time,valid_users);","version":"1. [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10001&&&&{"groupByFieldName":"type;src_ip;uuid;ip;port","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10001","type":"window","version":"1.0","windowType":"hop","fireDelaySecond":"30","timeout": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10012","type":"script","value":"retainField(succ_cns,invalid_users_list,ip,invalid_users_cnt,type,uuid,log_time,src_ip,winStart,winEnd [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10013","type":"script","value":"rule_type='1';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10014","type":"script","value":"retainField(rule_type,src_ip,port,success,account_name,ip,count,pid,type,uuid,user,log_time,invalid_us [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994990145;14&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994990145;14","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10015","type":"script","value":"___dim_10014=left_join('dipper.private.blink.rules','30.240.98.174;1616994990145;14','(rule_type,==,ru [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10016","type":"script","value":"___json_get_10107=json_get(p.content,'$.winsize');\n___cast_10735=cast(___json_get_10107,'int');\nwins [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10017","type":"script","value":"retainField(fail_times,ip,count,pid,type,uuid,log_time,src_ip,rule_type,port,success,account_name,user [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10002&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11150","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10002","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11150&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10002&&&&{"groupByFieldName":"type;src_ip;uuid;user;ip;port;winsize;fail_times","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10002","type":"window","version":"1.0","wi [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10018","type":"script","value":"retainField(succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,account_name,fail_cns,f [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10019","type":"script","value":"__compare_value_10010=!((src_ip,regex,'^127\\.'))\n;___subtraction_10012=subtraction(fail_cns,fail_tim [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10003&&&&{"expressionStr":"(__compare_value_10010&(___subtraction_10012,>=,double,0))&(succ_cns,==,double,0)","scriptNames":"[]","expressionName":"11154","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert [...]
-dipper.private.blink.rules&&&&express&&&&11151&&&&{"varName":"___subtraction_10012","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11153&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10010\",\"11151\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11152&&&&{"varName":"succ_cns","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11154&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11153\",\"11152\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10020","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10021","type":"script","value":"retainField(country,province,city,succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,a [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10004&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11155","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11155&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10022","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被点对点暴力破解失败(SSH)';\nlevel='medium';\n___ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10023","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10005&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11156","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11156&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10024","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被点对点暴力破解失败(RDP)';\nlevel='medium';\n___ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10025","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10026","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10001&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10001","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10027","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10002&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10002","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10006&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11157","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10006","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11157&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10028","type":"script","value":"___cast_10749=cast(invalid_user,'long');\n___compare_10285=equals(___cast_10749,1);\nif(___compare_102 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10029","type":"script","value":"retainField(unsuccess_hosts,ip,count,winsize,type,uuid,success_hosts,log_time,valid_users,src_ip,port, [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10003&&&&{"groupByFieldName":"type;src_ip;port;winsize;server_count","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_window_10003","type":"window","version":"1.0","windowType":" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10030","type":"script","value":"retainField(succ_cns,ip,invalid_users_list,invalid_users_cnt,winsize,type,uuid,log_time,unsuccess_host [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10031","type":"script","value":"__compare_value_10012=!((src_ip,regex,'^127\\.'))\n;___subtraction_10014=subtraction(unsuccess_hosts_c [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10007&&&&{"expressionStr":"(__compare_value_10012&(success_hosts_cnt,==,double,0))&(___subtraction_10014,>=,double,0)","scriptNames":"[]","expressionName":"11161","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_f [...]
-dipper.private.blink.rules&&&&express&&&&11160&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10012\",\"11158\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11161&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11160\",\"11159\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11159&&&&{"varName":"___subtraction_10014","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11158&&&&{"varName":"success_hosts_cnt","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10032","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10033","type":"script","value":"retainField(country,province,city,succ_cns,ip,invalid_users_list,invalid_users_cnt,winsize,type,uuid,l [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10008&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11162","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10008","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11162&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10034","type":"script","value":"uuid=uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常登录';\nevent_name='批量异常登录失败(SSH)';\nlevel='medium [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10035","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10009&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11163","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10009","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11163&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10036","type":"script","value":"uuid=uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常登录';\nevent_name='批量异常登录失败(RDP)';\nlevel='medium [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10037","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10038","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10003&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10003","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10039","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10004&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10004","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10040&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10040","type":"script","value":"__compare_value_10011=!((src_ip,regex,'^127\\.'))\n;___subtraction_10013=subtraction(fail_cns,invalid_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10010&&&&{"expressionStr":"(((__compare_value_10011&(succ_cns,==,double,0))&(___subtraction_10013,>=,double,0))&(invalid_users_cnt,>,double,3))&(valid_users_cnt,>,double,0)","scriptNames":"[]","expressionName":"11171","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source [...]
-dipper.private.blink.rules&&&&express&&&&11171&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11170\",\"11167\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11170&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11169\",\"11166\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11164&&&&{"varName":"succ_cns","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11166&&&&{"varName":"invalid_users_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11165&&&&{"varName":"___subtraction_10013","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11168&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10011\",\"11164\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11167&&&&{"varName":"valid_users_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11169&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11168\",\"11165\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10041&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10041","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10042&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10042","type":"script","value":"retainField(country,province,city,succ_cns,invalid_users_list,ip,invalid_users_cnt,type,uuid,log_time, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10011&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11172","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10011","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11172&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10043&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10043","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被多个无效用户暴力破解失败(SSH)';\nlevel='medium';\n [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10044&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10044","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10012&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11173","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_rule_10012","ruleStatus":"0","type":"rule","version":"1.0","exte [...]
-dipper.private.blink.rules&&&&express&&&&11173&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10045&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10045","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被多个无效用户暴力破解失败(RDP)';\nlevel='medium';\n [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10046&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10046","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10047&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10047","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10005&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10005","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10048&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_script_10048","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);", [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10006&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_fail_alert_v4_channel_10006","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_FORCE" [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefr [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4;json_concat_10020&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_succes [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_LOGIN_INFO","syncTimeout":"5000"," [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10001","type":"script","value":"retainField(src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);","version":" [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994994427;15&&&&{"indexs":"[\"account_name\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994994427;15","userName":"blink.source.aegis.login.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.url","sql":"select account_name from brute_force_suspicious_account limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.passw [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10002","type":"script","value":"___dim_10015=left_join('dipper.private.blink.rules','30.240.98.174;1616994994427;15','(user,==,a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10003","type":"script","value":"account_name=p.account_name;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10004","type":"script","value":"retainField(account_name,src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10005","type":"script","value":"rule_type='2';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10006","type":"script","value":"retainField(rule_type,src_ip,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user);"," [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994994428;16&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994994428;16","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10007","type":"script","value":"___dim_10016=left_join('dipper.private.blink.rules','30.240.98.174;1616994994428;16','(rule_type [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10008","type":"script","value":"___json_get_10113=json_get(p.content,'$.winsize');\n___cast_10843=cast(___json_get_10113,'int'); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10009","type":"script","value":"retainField(src_ip,rule_type,port,success,ip,count,pid,type,uuid,user,log_time,invalid_user,wins [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10001&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11174","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10001","ruleStatus":"0","type":"rule","version" [...]
-dipper.private.blink.rules&&&&express&&&&11174&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10010","type":"script","value":"___cast_10853=cast(invalid_user,'long');\n___compare_10295=equals(___cast_10853,1);\nif(___compa [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10011","type":"script","value":"retainField(src_ip,port,success,ip,count,type,uuid,invalid_users,log_time,valid_users);","versio [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10001&&&&{"groupByFieldName":"type;src_ip;uuid;ip;port","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10001","type":"window","version":"1.0","windowType":"hop","fireDelaySecond":"30","tim [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10012","type":"script","value":"retainField(succ_cns,invalid_users_list,ip,invalid_users_cnt,type,uuid,log_time,src_ip,winStart, [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10013","type":"script","value":"rule_type='1';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10014","type":"script","value":"retainField(rule_type,src_ip,port,success,account_name,ip,count,pid,type,uuid,user,log_time,inva [...]
-dipper.private.blink.rules&&&&nameList&&&&30.240.98.174;1616994994428;17&&&&{"indexs":"[\"rule_type\"]","pollingTime":"60","className":"com.aliyun.filter.namelist.DBNameList","configureName":"30.240.98.174;1616994994428;17","userName":"blink.source.aegis.login.account.username","type":"nameList","version":"1.0","url":"blink.source.aegis.login.account.url","sql":"select rule_type,content from brute_force_rule limit 1000000","cotainsIpFieldNames":"[]","password":"blink.source.aegis.login.a [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10015","type":"script","value":"___dim_10017=left_join('dipper.private.blink.rules','30.240.98.174;1616994994428;17','(rule_type [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10016","type":"script","value":"___json_get_10111=json_get(p.content,'$.winsize');\n___cast_10841=cast(___json_get_10111,'int'); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10017","type":"script","value":"retainField(fail_times,ip,count,pid,type,uuid,log_time,src_ip,rule_type,port,success,account_nam [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10002&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11175","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10002","ruleStatus":"0","type":"rule","version" [...]
-dipper.private.blink.rules&&&&express&&&&11175&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10002&&&&{"groupByFieldName":"type;src_ip;uuid;user;ip;port;winsize;fail_times","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10002","type":"window","version":"1. [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10018","type":"script","value":"retainField(succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,account_name,fail [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10003&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11176","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10003","ruleStatus":"0","type":"rule","version" [...]
-dipper.private.blink.rules&&&&express&&&&11176&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10003&&&&{"groupByFieldName":"type;src_ip;uuid;user;ip;port;winsize;fail_times","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10003","type":"window","version":"1. [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10019","type":"script","value":"retainField(succ_cns,ip,winsize,type,uuid,log_time,src_ip,winStart,winEnd,port,account_name,fail [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10020","type":"script","value":"__compare_value_10013=!((src_ip,regex,'^127\\.'))\n;___subtraction_10015=subtraction(fail_times, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10004&&&&{"expressionStr":"((__compare_value_10013&(succ_cns,<=,double,3))&(succ_cns,>,double,0))&(___subtraction_10015,>=,double,0)","scriptNames":"[]","expressionName":"11182","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_ [...]
-dipper.private.blink.rules&&&&express&&&&11180&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10013\",\"11177\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11182&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11181\",\"11179\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11181&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11180\",\"11178\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11177&&&&{"varName":"succ_cns","functionName":"<=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11179&&&&{"varName":"___subtraction_10015","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11178&&&&{"varName":"succ_cns","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10021","type":"script","value":"country='';\nprovince='';\ncity='';\nrule_type='1';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10022","type":"script","value":"retainField(country,rule_type,province,city,succ_cns,ip,winsize,type,uuid,log_time,src_ip,winSta [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10005&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11183","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10005","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11183&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10023","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被点对点暴力破解成功(SSH)';\nlevel='medium' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10024","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10006&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11184","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10006","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11184&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10025","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被点对点暴力破解成功(RDP)';\nlevel='medium' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10026&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10026","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10027&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10027","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10001&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10001","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10028&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10028","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10002&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10002","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10007&&&&{"expressionStr":"uuid,!like,'inet-%'","scriptNames":"[]","expressionName":"11185","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10007","ruleStatus":"0","type":"rule","version" [...]
-dipper.private.blink.rules&&&&express&&&&11185&&&&{"aesFlag":1,"varName":"uuid","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KHAOzEfzUAKsbrVrfBuQcA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10029&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10029","type":"script","value":"___cast_10859=cast(invalid_user,'long');\n___compare_10299=equals(___cast_10859,1);\nif(___compa [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10030&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10030","type":"script","value":"retainField(unsuccess_hosts,ip,count,winsize,type,uuid,success_hosts,log_time,valid_users,src_ip [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10004&&&&{"groupByFieldName":"type;src_ip;port;winsize;server_count","waterMarkMinute":"0","sizeAdjust":"1","sizeVariable":"winsize","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_window_10004","type":"window","version":"1.0","windowT [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10031&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10031","type":"script","value":"retainField(succ_cns,ip,invalid_users_list,invalid_users_cnt,winsize,type,uuid,log_time,unsucces [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10032&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10032","type":"script","value":"__compare_value_10015=!((src_ip,regex,'^127\\.'))\n;___subtraction_10017=subtraction(success_hos [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10008&&&&{"expressionStr":"(__compare_value_10015&(valid_users_cnt,<=,double,3))&(((___subtraction_10017,>=,double,0)&(unsuccess_hosts_cnt,>,double,0))|((success_hosts_cnt,>,double,0)&(___subtraction_10018,>=,double,0)))","scriptNames":"[]","expressionName":"11195","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper [...]
-dipper.private.blink.rules&&&&express&&&&11191&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10015\",\"11186\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11190&&&&{"varName":"___subtraction_10018","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11193&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11189\",\"11190\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11192&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11187\",\"11188\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11195&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11191\",\"11194\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11194&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11192\",\"11193\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11186&&&&{"varName":"valid_users_cnt","functionName":"<=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11188&&&&{"varName":"unsuccess_hosts_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11187&&&&{"varName":"___subtraction_10017","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11189&&&&{"varName":"success_hosts_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10033&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10033","type":"script","value":"country='';\nprovince='';\ncity='';\nrule_type='2';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10034&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10034","type":"script","value":"retainField(country,rule_type,province,city,succ_cns,ip,invalid_users_list,invalid_users_cnt,win [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10035&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10035","type":"script","value":"retainField(country,succ_cns,city,ip,invalid_users_list,invalid_users_cnt,winsize,type,uuid,log_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10009&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11196","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10009","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11196&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10036&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10036","type":"script","value":"uuid=uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常登录';\nevent_name='批量异常登录成功(SSH)';\nlevel=' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10037&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10037","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10010&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11197","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10010","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11197&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10038&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10038","type":"script","value":"uuid=uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常登录';\nevent_name='批量异常登录成功(RDP)';\nlevel=' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10039&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10039","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10040&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10040","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10003&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10003","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10041&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10041","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10004&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10004","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10042&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10042","type":"script","value":"__compare_value_10014=!((src_ip,regex,'^127\\.'))\n;___subtraction_10016=subtraction(fail_cns,in [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10011&&&&{"expressionStr":"((((__compare_value_10014&(succ_cns,<,double,5))&(succ_cns,>,double,0))&(___subtraction_10016,>=,double,0))&(invalid_users_cnt,>,double,3))&(valid_users_cnt,>,double,0)","scriptNames":"[]","expressionName":"11207","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","co [...]
-dipper.private.blink.rules&&&&express&&&&11207&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11206\",\"11202\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11206&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11205\",\"11201\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11199&&&&{"varName":"succ_cns","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11198&&&&{"varName":"succ_cns","functionName":"<","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11201&&&&{"varName":"invalid_users_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11200&&&&{"varName":"___subtraction_10016","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11203&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"__compare_value_10014\",\"11198\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11202&&&&{"varName":"valid_users_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11205&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11204\",\"11200\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11204&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11203\",\"11199\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10043&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10043","type":"script","value":"country='';\nprovince='';\ncity='';\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10044&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10044","type":"script","value":"retainField(country,province,city,succ_cns,invalid_users_list,ip,invalid_users_cnt,type,uuid,log [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10012&&&&{"expressionStr":"type,==,'SSH'","scriptNames":"[]","expressionName":"11208","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10012","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11208&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yWD8YZYVXaFbtnsN24tuWg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10045&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10045","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被多个无效用户暴力破解成功(SSH)';\nlevel='medi [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10046&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10046","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10013&&&&{"expressionStr":"type,==,'RDP'","scriptNames":"[]","expressionName":"11209","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_rule_10013","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11209&&&&{"aesFlag":1,"varName":"type","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XaH22EWkvLN7G+itcFtlvQ=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10047&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10047","type":"script","value":"ali_uid='';\nclient_ip=ip;\nevent_type='异常登录';\nevent_name='ECS被多个无效用户暴力破解成功(RDP)';\nlevel='medi [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10048&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10048","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10049&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10049","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10005&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10005","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10050&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_script_10050","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uu [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10006&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_login_adl_sas_apsara_abnormal_host_login_crack_success_alert_v4_channel_10006","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_BRUTE_ [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.login&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"blink.source.aegis.login_script_10001\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink. [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.login;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.login;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.source.aegis.login.tags","syncTimeout":"5000","groupName":"blink.source.aegis.login.group","isBatchMessage":"true","isAutoFlush":"fal [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.login_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.login_script_10001","type":"script","value":"aliUid=JSON_VALUE (meta_conf, '$.aliUid');portStr=JSON_VALUE (data, '$.port');port=cast(portStr,'long');rm(portStr);success=JSON_VALUE (data, '$.success');src_ip=JSON_VALUE (data, '$.ip');countStr=JSON_VALUE (dat [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_sas_linux_alert_netstat_netscan_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSq [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan;isIPv4Public_10001&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.isIPv4Public","initMethodName":"open","functionName":"isIPv4Public","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan;isIPv4Public_10001","type":"script","version" [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan;json_concat_10021&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan;json_concat_10021","type":"script","version": [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10001","type":"script","value":"___ISIPV4PUBLIC_10001=ISIPV4PUBLIC(dst_ip);\n___ISIPV4PUBLIC_10002=ISIPV4PUBLIC(dst_ip);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_rule_10001&&&&{"expressionStr":"(((((dst_port,in,'\\'21\\',\\'23\\',\\'25\\',\\'69\\',\\'81\\',\\'82\\',\\'389\\',\\'445\\',\\'873\\',\\'1433\\',\\'1521\\',\\'3306\\',\\'5900\\',\\'6379\\',\\'7001\\',\\'7002\\',\\'8009\\',\\'8080\\',\\'8081\\',\\'8082\\',\\'8443\\',\\'9200\\',\\'9300\\',\\'11211\\',\\'27017\\',\\'27018\\',\\'3389\\',\\'5632\\',\\'8000\\',\\'8161\\',\\'9043\\',\\'50000\\',\\'50070 [...]
-dipper.private.blink.rules&&&&express&&&&11218&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11217\",\"11212\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11217&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11210\",\"11211\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11219&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11218\",\"11213\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11210&&&&{"aesFlag":1,"varName":"dst_port","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LEsonS2IlprVQ/co0XiLkvM6bIrx6/czU4m5Fi4n7MTlh5hCk8ASJPNdlIj8HwXRKVtn5pBb1jN4JfPhMkDraqiXUvKvOqNz/3SdzP3FowLBokTAp/9MTPE3wHlBW3ICtH6kYj/Zi3+/lHF19HSC0iAIv6fcxNHGs+NAMDIa1Pk3GqZGWq9ioiOlyjvQgdiBeAf+hl35+rnWCYnms2nRt1wxqEe5ZntLm4/9ZjKU [...]
-dipper.private.blink.rules&&&&express&&&&11221&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11215\",\"11216\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11220&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11219\",\"11214\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11212&&&&{"aesFlag":1,"varName":"status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TT4sWlpjQkv0uhwFIIa9c6Okraw7awBNUyPQnW/8dfk="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11211&&&&{"varName":"___ISIPV4PUBLIC_10001","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11222&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11220\",\"11221\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11214&&&&{"aesFlag":1,"varName":"ppid","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11213&&&&{"aesFlag":1,"varName":"dir","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"kB68YBCbbpAqvn37U8lnhw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11216&&&&{"varName":"___ISIPV4PUBLIC_10002","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11215&&&&{"aesFlag":1,"varName":"proc_name","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ky70l/8ginyvbfSpPOtje+ztK5ySxoW09dHhcreNc0dzYPlBfq5D/8m1SoealWg2"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10002","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_image_id,k8s_clust [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10003","type":"script","value":"___unixtime_10021=unixtime(scan_time,'yyyy-MM-dd HH:mm:ss');\n___division_10017=division(___unixtime_10021,1200);\n___floor_10008=floor(___division_1001 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10004","type":"script","value":"retainField(cmdline,parent_proc_file_name,proc_path,proto,dst_port,time_win,scan_time,proc_name,host_uuid,dst_ip,parent_start_time,ppid);","version":"1. [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10005","type":"script","value":"retainField(cmdline,parent_proc_file_name,proc_path,proto,dst_port,time_win,scan_time,proc_name,host_uuid,dst_ip,parent_start_time,ppid);","version":"1. [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_window_10001&&&&{"groupByFieldName":"cmdline;dst_port;host_uuid;parent_proc_file_name;parent_start_time;ppid;proc_name;proc_path;proto;time_win","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_window_10001","type":"window","version":"1.0","windowType":"hop"," [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10006","type":"script","value":"retainField(dst_ip_cnt,proc_path,host_uuid,parent_start_time,ppid,start_time,dst_ip_info,cmdline,parent_proc_file_name,proto,dst_port,time_win,proc_name [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_rule_10002&&&&{"expressionStr":"(((proc_name,!in,'\\'\\',\\'N/A\\',\\'nginx\\',\\'vk-nginx\\',\\'consul\\',\\'prometheus\\'')&(dst_ip_cnt,>=,double,55))|((proc_name,regex,'^(zmap|nmap|masscan|zenmap|unicornscan|hscan)')&(dst_ip_cnt,>=,double,10)))&(dst_port,!in,'\\'8000\\',\\'8161\\',\\'1099\\'')","scriptNames":"[]","expressionName":"11231","varNames":"[]","className":"com.aliyun.filter.processor [...]
-dipper.private.blink.rules&&&&express&&&&11229&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11225\",\"11226\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11228&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11223\",\"11224\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11230&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11228\",\"11229\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11231&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11230\",\"11227\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11223&&&&{"aesFlag":1,"varName":"proc_name","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qa44hJNByCCVqRLHchbLYgEvFHjbnaBkUhRpUQtNi15yibinvLdKrOkKC0RE6DL8IVuhTBcdykeEiyku9Q+UEg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11225&&&&{"aesFlag":1,"varName":"proc_name","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ky70l/8ginyvbfSpPOtje+ztK5ySxoW09dHhcreNc0dzYPlBfq5D/8m1SoealWg2"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11224&&&&{"varName":"dst_ip_cnt","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"55.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11227&&&&{"aesFlag":1,"varName":"dst_port","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+RBe6MtM/sgjf7I7hEq3EpXM1U9cuGcuBxW7yuyaRQg="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11226&&&&{"varName":"dst_ip_cnt","functionName":">=","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"10.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10007","type":"script","value":"is_white=0;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10008","type":"script","value":"retainField(is_white,dst_ip_cnt,proc_path,host_uuid,parent_start_time,ppid,start_time,dst_ip_info,cmdline,parent_proc_file_name,proto,dst_port,time_win, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_rule_10003&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"11232","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11232&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10009","type":"script","value":"___concat_10041=concat(' - ','proc_path - ',proc_path,'pfilaname - ',parent_proc_file_name);\nabk_raw=___concat_10041;rm('___concat_10041');\n","version [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10010","type":"script","value":"retainField(dst_ip_cnt,proc_path,host_uuid,parent_start_time,ppid,start_time,dst_ip_info,cmdline,parent_proc_file_name,proto,dst_port,time_win,abk_raw,p [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10011","type":"script","value":"retainField(dst_ip_cnt,proc_path,host_uuid,parent_start_time,ppid,start_time,dst_ip_info,cmdline,parent_proc_file_name,proto,dst_port,time_win,abk_raw,p [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10012","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\nevent_name='内网扫描';\nlevel='high';\n___cast_10952=cast(cmdline,'string');\n___cast_109 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_script_10013","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_netscan_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_netscan_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true"," [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement;isIPv4Public_10002&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.isIPv4Public","initMethodName":"open","functionName":"isIPv4Public","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement;isIPv4Public_10002","type": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement;json_concat_10022&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement;json_concat_10022","type":" [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink_source_aegis_net_sas_linux_alert_netstat_later [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_rule_10001&&&&{"expressionStr":"(src_port,in,'\\'21\\',\\'23\\',\\'25\\',\\'69\\',\\'80\\',\\'389\\',\\'443\\',\\'873\\',\\'1433\\',\\'1434\\',\\'1521\\',\\'2375\\',\\'3306\\',\\'5900\\',\\'6379\\',\\'7001\\',\\'7002\\',\\'8080\\',\\'8443\\',\\'9200\\',\\'9300\\',\\'11211\\',\\'27017\\',\\'27018\\',\\'28017\\',\\'50030\\',\\'50070\\',\\'3389\\',\\'8081\\',\\'8080\\'')|(dst_port,in,'\\'21 [...]
-dipper.private.blink.rules&&&&express&&&&11234&&&&{"aesFlag":1,"varName":"dst_port","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LEsonS2IlprVQ/co0XiLklo9FwYvW++krORC3ncjuYq4O6wKZ9PygiTvge5eK/8sI1wvrmWj3Bayf0UPN6pk/NlCtuo8AEsa4bZgAvbYaSidB7DDSwMH4/6o4HsZSkk30buO6A399CtpcMmAMke6RNyBi9Dgl1Uw+Y22Z+f1lOoccV7FmCuOMaeBVAGfaun8ChWK960f4hXvzYhYQ4zNIF3yzGUKYWktR7XZqKfY [...]
-dipper.private.blink.rules&&&&express&&&&11233&&&&{"aesFlag":1,"varName":"src_port","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LEsonS2IlprVQ/co0XiLklo9FwYvW++krORC3ncjuYq4O6wKZ9PygiTvge5eK/8sI1wvrmWj3Bayf0UPN6pk/NlCtuo8AEsa4bZgAvbYaSidB7DDSwMH4/6o4HsZSkk30buO6A399CtpcMmAMke6RNyBi9Dgl1Uw+Y22Z+f1lOoccV7FmCuOMaeBVAGfaun8ChWK960f4hXvzYhYQ4zNIF3yzGUKYWktR7XZqKfY [...]
-dipper.private.blink.rules&&&&express&&&&11235&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11233\",\"11234\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10001","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10002","type":"script","value":"___lower_proc_name_10010=lower(proc_name);\n___lower_cmdline_10099=lower(cmdline);\n___ISIPV4PUBLIC_10003=ISIPV4PUBLIC(dst_ip);\n","ve [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_rule_10002&&&&{"expressionStr":"((___lower_proc_name_10010,in,'\\'lcx\\',\\'ew\\',\\'ew_for_linux64\\',\\'ew_for_linux32\\',\\'htran\\',\\'rcsocks\\',\\'frpc\\'')|(___lower_cmdline_10099,regex,'ew_for_linux32|ew_for_linux64|(^|\\W+)htran|regeorgsocksproxy|(^|\\s+|/)rssocks\\s+|(^|\\s+|/)ssocksd\\s+|(^|\\s+|/)rcsocks\\s+|lcx_slave|lcx_tran|lcx_listen|((^|\\s+|/)frpc.*-s)|((^|\\s+|/)frpc.* [...]
-dipper.private.blink.rules&&&&express&&&&11239&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11236\",\"11237\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11240&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11239\",\"11238\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11236&&&&{"aesFlag":1,"varName":"___lower_proc_name_10010","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"yULyv2GPMaUFOae6UIbhCUMLUHrCa3Jotp8GNoo9qfbC2YF68YUz+LwjrBfi5Iw2SApZ0+OF1Xq9URrWUSWYvGeADOnB8V23goFx8ipWp6E="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11238&&&&{"varName":"___ISIPV4PUBLIC_10003","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Boolean\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"false"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11237&&&&{"aesFlag":1,"varName":"___lower_cmdline_10099","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"W0+STHJIqhBCXrNjId3ZBPV5qIQblgW+UlQ2WJDEXkqOiVG8RaI2603N5Q/5Gocb+24bg5f3n+auKo3Q5rQvpQLr7zxmiyzWTTzIwpKGn2M4GLlu63fJYXcGWRwsmOQilpzt7mOPVIMJP8r274FBXnNM+WwBWNvIFuUFOKv0Y3wz0e5krmrQPm1lyXOpW7ZE8qch7eeSW1q5i2sxlQJTKY7 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10003","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_ [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_rule_10003&&&&{"expressionStr":"ppid,<>,double,1","scriptNames":"[]","expressionName":"11241","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":" [...]
-dipper.private.blink.rules&&&&express&&&&11241&&&&{"varName":"ppid","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10004","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10005","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10006","type":"script","value":"___REGEXP_REPLACE_10049=REGEXP_REPLACE(cmdline,'([^\\\\\\:\\>\\-\\&\\@\\=\\%\\s~~~~~\\/\\.\\(\\)\\[\\]]{1})','A');\n___concat_10042=co [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10007","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,container_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10008","type":"script","value":"retainField(k8s_namespace,proc_path,pid,proc_start_time,dir,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,abk_raw,co [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10009","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\nevent_name='疑似内网横向移动';\nlevel='high';\n___cast_10967=cast(cmdline,' [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10010","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_script_10011","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[ [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_lateral_movement_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consum [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSqlN [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;json_concat_10023&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;json_concat_10023","type":"script","version":"1 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;b64_auto_10007&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;b64_auto_10007","type":"script","version":"1.0","closeMethodNam [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;sas_black_rule_v2_10003&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v2","initMethodName":"open","functionName":"sas_black_rule_v2","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3;sas_black_rule_v2_10003","type":"scr [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","s [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10001","type":"script","value":"___lower_proc_path_10001=lower(proc_path);\n___lower_parent_proc_file_name_10001=lower(parent_proc_file_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10001&&&&{"expressionStr":"(dir,==,'out')&((((___lower_proc_path_10001,like,'%.exe')|(___lower_parent_proc_file_name_10001,like,'%.exe'))|(proc_path,like,'_:/%'))|(parent_proc_file_name,like,'_:/%'))","scriptNames":"[]","expressionName":"11250","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_sourc [...]
-dipper.private.blink.rules&&&&express&&&&11250&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11242\",\"11249\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11243&&&&{"aesFlag":1,"varName":"___lower_proc_path_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11242&&&&{"aesFlag":1,"varName":"dir","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"kB68YBCbbpAqvn37U8lnhw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11245&&&&{"aesFlag":1,"varName":"proc_path","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11244&&&&{"aesFlag":1,"varName":"___lower_parent_proc_file_name_10001","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11247&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11243\",\"11244\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11246&&&&{"aesFlag":1,"varName":"parent_proc_file_name","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11249&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11248\",\"11246\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11248&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11247\",\"11245\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10002","type":"script","value":"logtime=scan_time;\n___unixtime_10022=unixtime(scan_time);\nunix_time=___unixtime_10022;rm('___unixtime_10022');\nuuid=host_uuid;\ncmd=cmdline;\npexe=proc [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10003","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status);","version":"1.0"," [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_window_10001&&&&{"groupByFieldName":"uuid;dst_ip;dst_port;cmd;pexe;proc_name;ppexe;status;proto;___cast_10991","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10004","type":"script","value":"___multiplication_10024=multiplication(60,10);\n___division_10018=division(unix_time,___multiplication_10024);\n___cast_10991=cast(___division_10018,'long [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10005","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status,r_dasudu19ud12y1827) [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10002&&&&{"expressionStr":"r_dasudu19ud12y1827,==,double,1","scriptNames":"[]","expressionName":"11251","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11251&&&&{"varName":"r_dasudu19ud12y1827","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10006","type":"script","value":"___regexp_10596=regex(dst_ip,'^((127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]\\.)|(192\\.168\\.))');\nif(___regexp_10596){___if_dwd_y [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10007","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status,r_dasudu19ud12y1827, [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10008","type":"script","value":"___!_10072=!(((dir,==,'out')&(dst_ip,like,'100.100.%')));\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10003&&&&{"expressionStr":"(___!_10072)","scriptNames":"[]","expressionName":"11253","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10003","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11252&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!_10072\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11253&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11252\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10009","type":"script","value":"___REGEXP_EXTRACT_10021=REGEXP_EXTRACT(cmd,'([a-zA-Z0-9\\/+=]{50,})',1);\ncmd_b64_raw=___REGEXP_EXTRACT_10021;rm('___REGEXP_EXTRACT_10021');\n","version": [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10010","type":"script","value":"retainField(cmd_b64_raw,unix_time,pid,is_dstip_private,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcm [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10011","type":"script","value":"___lower_proc_name_10011=lower(proc_name);\nclean_proc=___lower_proc_name_10011;rm('___lower_proc_name_10011');\n___lower_pproc_name_10013=lower(pproc_nam [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10012","type":"script","value":"retainField(clean_proc,b64_decode_raw,clean_pexe,clean_pproc,clean_cmd,unix_time,pid,is_dstip_private,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_por [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10013","type":"script","value":"___lower_b64_decode_raw_10003=lower(b64_decode_raw);\nb64_decode=___lower_b64_decode_raw_10003;rm('___lower_b64_decode_raw_10003');\n_tmp_qweyhkuyiyiuy='@ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10014","type":"script","value":"retainField(b64_decode,is_real_out,_tmp_qweyhkuyiyiuy,clean_cmd,unix_time,pid,ppexe,dir,uuid,dst_ip,src_ip,pexe,cmd_b64_raw,b64_decode_raw,clean_pexe,is_d [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10015","type":"script","value":"___cast_10992=cast(cmd,'string');\n___cast_10993=cast(pcmd,'string');\n___cast_10994=cast(clean_proc,'string');\n___cast_10995=cast(clean_pproc,'string'); [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10016","type":"script","value":"retainField(clean_cmd,unix_time,pid,ppexe,dir,is_success,uuid,dst_ip,src_ip,is_real_out,pexe,cmd_b64_raw,b64_decode_raw,clean_pexe,_tmp_qweyhkuyiyiuy,is_d [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10017","type":"script","value":"___STRING_SPLIT_10003=STRING_SPLIT(threat_type_all,_tmp_qweyhkuyiyiuy);T.v=udtf.0;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10018","type":"script","value":"___trim_10006=trim(T.v);\nthreat_type=___trim_10006;rm('___trim_10006');\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10019","type":"script","value":"retainField(threat_type,clean_cmd,unix_time,pid,ppexe,dir,is_success,uuid,dst_ip,src_ip,is_real_out,pexe,cmd_b64_raw,threat_type_all,b64_decode_raw,clean_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10020","type":"script","value":"___!null_10046=!null(threat_type);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10004&&&&{"expressionStr":"___!null_10046&(threat_type,regex,'\\S+')","scriptNames":"[]","expressionName":"11255","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNam [...]
-dipper.private.blink.rules&&&&express&&&&11254&&&&{"aesFlag":1,"varName":"threat_type","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BhPVyKanBl/NbolFClSKRQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11255&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10046\",\"11254\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10021","type":"script","value":"retainField(clean_cmd,unix_time,pid,ppexe,dir,is_success,uuid,dst_ip,src_ip,is_real_out,pexe,cmd_b64_raw,threat_type,threat_type_all,b64_decode_raw,clean_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10022","type":"script","value":"___in_10107=contain(threat_type,'sas_black_rule_online','powershell_danger_port','installutil联网','msbuild联网','sensitive_path_N_danger_port')\n;___compare_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10023","type":"script","value":"retainField(event_name,clean_cmd,unix_time,pid,ppexe,dir,is_success,uuid,dst_ip,src_ip,is_real_out,pexe,cmd_b64_raw,threat_type,threat_type_all,b64_decode [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10005&&&&{"expressionStr":"event_name,<>,'ob'","scriptNames":"[]","expressionName":"11256","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11256&&&&{"aesFlag":1,"varName":"event_name","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EN2hVlftSLdhuJOTt7HCwg=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10024","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\nlevel='high';\n___cast_11004=cast(logtime,'string');\n___cast_11005=cast(uuid,'string');\n___cast_11006= [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10025&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_script_10025","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_win_net_rule_v3_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","ma [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10002\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature;sas_black_rule_v2_10004&&&&{"fullClassName":"com.lyra.xs.udf.ext.sas_black_rule_v2","initMethodName":"open","functionName":"sas_black_rule_v2","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature;sas_black_rule_v2_1000 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature;json_concat_10024&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature;json_concat_10024","type":"script [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature;b64_auto_10008&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature;b64_auto_10008","type":"script","version":"1.0"," [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink_source_aegis_net_sas_linux_alert_netstat_black_featu [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10001","type":"script","value":"___lower_proc_path_10002=lower(proc_path);\nstd_proc_path=___lower_proc_path_10002;rm('___lower_proc_path_10002');\n___lower_proc_name_10012 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10002","type":"script","value":"retainField(proc_path,std_proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,cmdline,sas_black_rule_ob_result,std_c [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10003","type":"script","value":"retainField(proc_path,std_proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,cmdline,sas_black_rule_ob_result,std_c [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10004","type":"script","value":"___compare_10316=great(sas_black_rule_online_result,0);\n___lower_std_proc_name_10001=lower(std_proc_name);\n___compare_10317=equals(___lowe [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10005","type":"script","value":"retainField(hit_result,proc_path,std_proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,cmdline,sas_black_rule_ob_r [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10006","type":"script","value":"___in_10111=contain(hit_result,'黑特征','可疑端口监听','联网shell','联网系统命令','端口转发3','可疑网络外连')\n;if(___in_10111){___case_10165=0;}else{___case_10165=1;} [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10007","type":"script","value":"retainField(is_white,proc_path,std_proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,cmdline,sas_black_rule_ob_res [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10008","type":"script","value":"retainField(proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,cmdline,abk_raw,container_image_id,hit_result,logTim [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_rule_10001&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"11257","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[] [...]
-dipper.private.blink.rules&&&&express&&&&11257&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10009","type":"script","value":"retainField(container_image_id,hit_result,proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,logTime,ppid,src_ip,src_port, [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10010","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\n___compare_10321=equals(hit_result,'可疑端口监听');\nif(___compare_10321){___ca [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10011","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_script_10012","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_black_feature_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_black_feature_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrd [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"ownerSq [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2;json_concat_10025&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2;json_concat_10025","type":"script","version": [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10001","type":"script","value":"___lower_proc_path_10003=lower(proc_path);\n___lower_parent_proc_file_name_10002=lower(parent_proc_file_name);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10001&&&&{"expressionStr":"(dir,==,'out')&((((___lower_proc_path_10003,like,'%.exe')|(___lower_parent_proc_file_name_10002,like,'%.exe'))|(proc_path,like,'_:/%'))|(parent_proc_file_name,like,'_:/%'))","scriptNames":"[]","expressionName":"11266","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_sour [...]
-dipper.private.blink.rules&&&&express&&&&11261&&&&{"aesFlag":1,"varName":"proc_path","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11260&&&&{"aesFlag":1,"varName":"___lower_parent_proc_file_name_10002","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11263&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11259\",\"11260\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11262&&&&{"aesFlag":1,"varName":"parent_proc_file_name","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"iEGyh/evZuz6gUfAf8QayQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11265&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11264\",\"11262\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11264&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11263\",\"11261\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11266&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11258\",\"11265\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11258&&&&{"aesFlag":1,"varName":"dir","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"kB68YBCbbpAqvn37U8lnhw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11259&&&&{"aesFlag":1,"varName":"___lower_proc_path_10003","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+hpefcjI0jxX3V74t6E7Ow=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10002","type":"script","value":"logtime=scan_time;\n___unixtime_10023=unixtime(scan_time);\nunix_time=___unixtime_10023;rm('___unixtime_10023');\nuuid=host_uuid;\ncmd=cmdline;\npexe=pr [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10003","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status);","version":"1.0" [...]
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_window_10001&&&&{"groupByFieldName":"uuid;dst_ip;dst_port;cmd;pexe;proc_name;ppexe;status;proto;___cast_11053","waterMarkMinute":"0","className":"com.aliyun.yundun.dipper.window.model.OverWindow","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_window_10001","type":"window","version":"1.0","fireDelaySecond":"30","timeout":"30000","activtyTimeOut":"3000","sizeInterval":"60 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10004","type":"script","value":"___multiplication_10025=multiplication(60,10);\n___division_10019=division(unix_time,___multiplication_10025);\n___cast_11053=cast(___division_10019,'lo [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10005","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status,r_dasudu19ud12y182 [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10002&&&&{"expressionStr":"r_dasudu19ud12y1827,==,double,1","scriptNames":"[]","expressionName":"11267","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10002","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]" [...]
-dipper.private.blink.rules&&&&express&&&&11267&&&&{"varName":"r_dasudu19ud12y1827","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10006","type":"script","value":"___regexp_10611=regex(dst_ip,'^((127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(172\\.3[0-1]\\.)|(192\\.168\\.))');\nif(___regexp_10611){___if_dwd [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10007","type":"script","value":"retainField(unix_time,pid,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,proc_name,logtime,pcmd,status,r_dasudu19ud12y182 [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10003&&&&{"expressionStr":"((dst_port,==,'445')&(status,==,'TCP_STATE_ESTABLISHED'))&(pexe,!in,'\\'N/A\\',\\'\\',\\'null\\'')","scriptNames":"[]","expressionName":"11272","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10003","ruleStatus":"0", [...]
-dipper.private.blink.rules&&&&express&&&&11270&&&&{"aesFlag":1,"varName":"pexe","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pvra235d2zA7ATJsvgXMoQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11272&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11271\",\"11270\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11271&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11268\",\"11269\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11269&&&&{"aesFlag":1,"varName":"status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mBo8DRi0jqLEUMAk3fPIkEAFxUrWkYtflRV52aAcmFs="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11268&&&&{"aesFlag":1,"varName":"dst_port","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"H2mt3iCJRyVxRN/JBkPzZA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10008","type":"script","value":"os='win';\n___unixtime_10024=unixtime(logtime);\n___multiplication_10026=multiplication(60,60);\n___multiplication_10027=multiplication(___multiplicatio [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10009","type":"script","value":"retainField(detail_len_max,os,time_part,unix_time,pid,is_dstip_private,ppexe,dir,uuid,pproc_name,dst_ip,ppid,src_ip,src_port,pexe,proto,dst_port,cmd,pro [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10010","type":"script","value":"___!null_10047=!null(time_part);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10004&&&&{"expressionStr":"(___!null_10047)","scriptNames":"[]","expressionName":"11274","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11274&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11273\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11273&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"___!null_10047\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&window&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_window_10002&&&&{"groupByFieldName":"time_part;uuid;pexe;dst_port;proto;detail_len_max;cmd;os","waterMarkMinute":"0","sizeAdjust":"0","className":"com.aliyun.yundun.dipper.window.model.WindowMessageProcessor","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_window_10002","type":"window","version":"1.0","windowType":"hop","fireDelaySecond":"30","timeout":"30000","activtyTi [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10011","type":"script","value":"retainField(dst_ip_cnt,pproc_name_dtail,os,time_part,cmd_max,pid,uuid,min_time,pproc_name_max,cmd_detail,detail_len_max,pcmd_max,pexe,proto,dst_port,max [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10005&&&&{"expressionStr":"dst_ip_cnt,>,double,10","scriptNames":"[]","expressionName":"11275","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10005","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11275&&&&{"varName":"dst_ip_cnt","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"10.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10012","type":"script","value":"retainField(dst_ip_cnt,pproc_name_dtail,os,time_part,cmd_max,pid,uuid,min_time,pproc_name_max,cmd_detail,detail_len_max,pcmd_max,pexe,proto,dst_port,max [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10006&&&&{"expressionStr":"1,==,double,1","scriptNames":"[]","expressionName":"11276","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_rule_10006","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[]"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11276&&&&{"varName":"1","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10013","type":"script","value":"ali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\nevent_name='疑似敏感端口扫描行为';\nlevel='medium';\n___cast_11054=cast(dst_ip_cnt,'string');\n___JSON_CONCAT_10 [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_script_10014","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_win_port_scan_v2_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true"," [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.FilterChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell;b64_auto_10009&&&&{"fullClassName":"com.lyra.xs.udf.ext.b64_auto","initMethodName":"open","functionName":"b64_auto","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell;b64_auto_10009","type":"script","version":"1.0"," [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell;json_concat_10026&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell;json_concat_10026","type":"script [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","groupName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_she [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10001&&&&{"expressionStr":"(dir,==,'out')&(dst_ip,!in,'\\'127.0.0.1\\'')","scriptNames":"[]","expressionName":"11279","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10001","ruleStatus":"0","type":"rule","version":"1.0","extendFiel [...]
-dipper.private.blink.rules&&&&express&&&&11278&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"qlkoz6ZzoWKyXcuI2NiwqQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11277&&&&{"aesFlag":1,"varName":"dir","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"kB68YBCbbpAqvn37U8lnhw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11279&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11277\",\"11278\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10001","type":"script","value":"___lower_cmdline_10101=lower(cmdline);\n___REGEXP_REPLACE_10054=REGEXP_REPLACE(___lower_cmdline_10101,'\\s+',' ');\nstd_cmdline=___REGEXP_RE [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10002","type":"script","value":"retainField(k8s_namespace,proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,std_cmdline,cont [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10002&&&&{"expressionStr":"(((((((((((((((((((((((((((((((((((((((((std_cmdline,regex,'^(((/?([a-zA-Z0-9_\\.\\-]+/){1,20})bin/)|/bin/|/|-)?(bash|sh|dash|ash|tcsh|csh|ksh)(\\s+[\\-a-z0-9]{1,5}){1,5}\\s*$')&(std_cmdline,regex,'-[a-z0-9]{0,4}i[a-z0-9]{0,4}'))|(std_cmdline,regex,'^(((/?([a-zA-Z0-9_\\.\\-]+/){1,20})bin/)|/bin/|/|-)?zsh\\s*$'))|(std_cmdline,regex,'(mkfifo|mknod).*&&\\s*(nc|t [...]
-dipper.private.blink.rules&&&&express&&&&11340&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11339\",\"11299\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11306&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wY2TXDp84Np+fxCQw153qSOBRfZ5HzQhU8et9MwgBsM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11305&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"ECKiR+VSLN0UJKMNnLRBzhCRKUJ1lwglvQPeOT3o6HZ1w1lsZlOOAWGqvcy19vuPUD2qnyEV5dcJYaWPL7dnuw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11349&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11348\",\"11308\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11308&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WOspaXLAGxMn68UjGzgPMtwakB96I2wWn8tkcxUQ+tg6f1w3UvEhq/9YTeG7aUxpjSRn8vaLVPWw9v4R3pjTNQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11307&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"fKKxPOBqvGDBL8gf1En+jXSeH09f2NiEAxOCTMHPPVyyDXOfZVpRhzCifKHBQ/GhlUIK5Tys3qhw+gGDA0mkYQEMqY9rL7nmXZaTDMGrD7qQ64ORsh0j3HbW5XUxe1k9D/c+oPPB18fbkH7gxRCn6OocdswhUhuOUEKnNaN6gbTB60UM9BJfIrxCXN2xYG0s"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11309&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mPvs4d/P/GyxoYG1nO5HKdG8cMpJ6tz8ID7jPha5bnSqCeJrUCkGBjKl18tBIg+QCUV0N4n7ecI6VRZC40pLoQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11342&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11341\",\"11301\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11341&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11340\",\"11300\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11300&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"S6+5nja7S9/5FD7Y9XWiMXlNNYLiwb+PpsTeyu0wTwmqXeVGKT8cz371234XRRs64E++v99R0XlwvhGSPJDPQlK2L2TuXLKVsrlfDgDFB4A="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11344&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11343\",\"11303\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11343&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11342\",\"11302\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11302&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGv1DYfkDqtN7zTZ9BqruY3GKaxnBlsl84RDlXhtxLN/VhPF7pfBk1150eJDAaSvD3EZDddj34f3nf7XJxONVt8o="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11346&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11345\",\"11305\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11301&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"NfOPvvUA2C02nnvJmlFVPIb1AQXWnScVSFTS0j3O1NPUlMwe38KWRFHo43FlwB+bI7Ls06CYxVy8xW4FGawtoQfHg7fPcVMJm4aGtUsThf0="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11345&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11344\",\"11304\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11304&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMOqMmQwUl25j4sV82bdZQzFHfZVbbt0lB/EgrO9fQ3ZX9e8fK2i5SlvomB+6TObk/n9X5HKfEjzSrkiFR/EMKbKWGZ8bf+ALH7Vo+WH4og1eA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11348&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11347\",\"11307\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11303&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGhsz6jEjv19XPg1ML+aMKIi3VPwmHsnAX/AjthoMDVrxmmW3OL4PYANEf/gEOw3q9983zvSxEaeEZnnJHSA0vOr5et9uXOwEWhVBISH7pcah3E3j8pR9+z33jDX5I8XAFw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11347&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11346\",\"11306\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11351&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11350\",\"11310\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11350&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11349\",\"11309\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11317&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1BklyQ3tw4vQH5b93Ia/vyXZH0RHgX3Eo5MdHJWKDCCCSYJ+YJig9HvriuFz25P/"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11316&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"WK0CcvVjcHNvKSz5NChmScbwq2rFCpGi/+AmRnM2Paxya0atBLfMta5qWg/EoJtHCpYOs/+DHGxFEpKLF+Kf7ln03RFewWw/XvdQeK0Xfu/I6WKFpntjkR4o3YBJQ2TyAtFf/6XQ9tPOQDo0tcHGO0W7t5CXwtLpL+hyUmUm3ig="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11319&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xex36LJ6hs3NrKtc0smZnWbxKiHzkiCmnj1Lo3E4heuCCew6PLmc/yoE92e5dJzXMlJUjVZMn9/07Qt4Zz3t5w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11318&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hxdJkcCWlOLR0Z08v9P8nBuhHVB3C0BGnBHaWtJlSoBwAGmOVvMzJCR/hBaDbCnB27OvIRbjU3+4qErWPKZ9Xw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11353&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11352\",\"11312\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11352&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11351\",\"11311\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11311&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMOqMmQwUl25j4sV82bdZQzF5BNzcp9OvbGB2bGGWWlAjnJojhiRyLmDQTBY12xBIRwL20Am54VnTPrDyKy4zSinqyVdT2dMZc5cJlrtZzw/Kw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11355&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11354\",\"11314\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11310&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"HDGdCUToGqETm9cV+Jw1DsDelVY01kGxLRoXbmDebmq0ptZlxf4r1YBlKFA+DgIYCIa6biOy7/UnU5VuvhpfoVaHGznnJEXLCs/fkUI3MN8="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11354&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11353\",\"11313\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11313&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5ZNqmWb9CISLIDGXbtTJT8ot0Iyi6x5blCdB0qg2sMj0SPL4iR5NDF01E6AM1t+miwP0iC0BMCP+QR3Kg5S4XonytuBcbOBENg3EFJHmd8d+TGh6darQq1vbsbldr6jf"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11357&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11356\",\"11316\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11312&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXan4nAjLiopKSgP/26U9t4yuK6Bl8q0n/biqPgoe9SohDIqwDc9EOxlTF2d6HT/ydqFlHAq4xThHqrmrmzQuNME="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11356&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11355\",\"11315\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11315&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMOqMmQwUl25j4sV82bdZQzF/V0UaVObgu2k9W0KBlU62EFR8eogS2ychnLDjmX0BJ0CXuVxm4ojZoY6jPBZDWhdLrPr1BzFFETnI/8hkSG8tg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11359&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11358\",\"11318\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11314&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"EBOsKA8HJr0TeID5FpnEGk8OfW5gge289PC+T42dZMOqMmQwUl25j4sV82bdZQzF6CkFqOebmPfTz2Zuknt0h22Hi1MUdiZ3F7EuATO0nSCxfs3mpVLkkj58hHieJCXtY8lwfKFrmxr4NwaO8GDsBQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11358&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11357\",\"11317\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11281&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0iakI5h93i0MVdEnQzv3Oayi2zdxP/QmjjNUk94pe/4="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11280&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VdK7uu993qm1aedLTtbg2Yklh5ogU1JJ5eSOwZIQRjAH0ze0cIG1oR0rs591s2jBozZaouf+j34WVK1W8XJXFNg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11283&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCApQH5ugQ7isbooFxL2VAN0YPlgmfmJWBvqP+6KjyHbp"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11360&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11359\",\"11319\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11282&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"tC+6BVeaz7RbgiE7GI5nvI+3SNAfCktVEXCRJ2PiAZV6l5KuC1EsplbweRXMpO7VtVy9YAY4uy+OTGXyoHY0kw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11285&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCHTCJIuyFUBJGoH9ymibBi5A5Q3hgNsyXVAomyYLunsX"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11362&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11361\",\"11321\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11284&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0yWv4wJ+Lh91yiZrWoWwA0QiYld/6Ag9ohQZOM8G0t+P6eS4ias9aG9XikdKtcAEOkSjBa5XjgVVzcEIy2GZZYXIX+Z5+7mUXqjc86ueoec="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11361&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11360\",\"11320\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11328&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11327\",\"11287\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11327&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11326\",\"11286\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11329&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11328\",\"11288\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11287&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BSkRZytZ0ZpioJ9N79IarJlw/nTZlZcMiMSw3n+tiN9ikWIZJHE+2GgRPnYFXjF1qdxwMTXVMfh3Tp8oBnZ0W8k3sw3Hknl2ZWcbOIrw1pM="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11320&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"o3EBIPr0c0ZcyGjjhLGtU5S156e8TkmQE/omx4zSWpxN0jUy3o/vPrIz91zv/pZhLJPRxNK0HZPVzjbnMZmnPA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11286&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"1aiRaiqvOFibkrM/JSSjCPA3TJv0PJP6/if3K454Y1EEMUr5yjXddokuM6olNHE5pR0Fqfylep2/OERDuyXvlM31wnZ6b4Hmcm0zj0lIrEo="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11289&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"5ZNqmWb9CISLIDGXbtTJT8ot0Iyi6x5blCdB0qg2sMhCP2GecDQAW7YUtHs+dTM1VPwtc0NsZmXMjUWNLpF33w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11322&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11280\",\"11281\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11288&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BSkRZytZ0ZpioJ9N79IarJlw/nTZlZcMiMSw3n+tiN96X3+ZENqLYALk8+HKyZ/i/J5EgzH1u8CL8gd9m1QvpA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11321&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"Vs2VKxNtKiA0PJ0bP4XcHxxELX2RNqfaCC0F087m48+6IRw2wSZX0qa3CawbGZEvXc+rXK7S2iURJDOlHDRagA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11324&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11323\",\"11283\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11323&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11322\",\"11282\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11326&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11325\",\"11285\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11325&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11324\",\"11284\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11290&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXTXa3+u+NVZjaylmJ9j7ib0Rdv5J+hQ67ZDtEOUd+kfPxk0qvydCncT1KE5GPfFsxFupUKwdlNFqoVJmivUDgGStHKdpvruObX2chS8+izpO"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11292&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXY+hOB5x7uiMnhahKoGO+zdIycaMOFIcTXCy0Bi4oVNBkHXG5D5wXFsEKCrtV78ShdB2SaR1bFCQZH6VbGTqsiNglLFr4kZOoVN4SGPG2U8V/1q/02UvJuj5j7Rb1izY7w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11291&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXTXa3+u+NVZjaylmJ9j7ib2qNExrI38l7Ehsz/Kv4MAUjYehEdzihIhLI+5cK5A25w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11294&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXXU/9pTYOzIMQuESgsr3nzYaqYuWOSNdXJqD1EvgCQuWNxQlD0vVOWYsWkQOOGAHBRcpkWMRklY/I0raa28heKMptdZvXnYfrRUvXknkWhvU"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11293&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXTXa3+u+NVZjaylmJ9j7ib2K5GJwmtRq/Tvq7K2jOBCeYPDvJjMIoR6YcH8wM7LlSUaTo5Vst5WKNLPDWgl13sOitlwIatuJFAI+2fY3/Ww2"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11296&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXXNahm3tYU2TR6eNXFlHK8v4p55wK/41TMoXz8QSOep+x5+NkUo7biKiqiMSGjVxlA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11295&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"CXjr80lckkCQoRmGUctHXa4Q2n6hyzgpSv5CAmEKFcRaRRAKCcTvHbv41weYBBIV"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11339&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11338\",\"11298\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11338&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11337\",\"11297\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11298&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hlmYfaWn4nmcgbGmwxlgbJq7JDgGmWvS7+SBYB1yh4XoURRiiwa3zg3/8mVyu6GGeKoS/h8NwkXKhKbDmaDl1A=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11331&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11330\",\"11290\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11297&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"hlmYfaWn4nmcgbGmwxlgbGg4r39BvWbW/3EaUWfR5oZjqkLVJv7+9sEv6Jw+y4LyuWv3CkZcMElOXxHbYVvfzWonh1aT6UQB6tdGcTW5mXw="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11330&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11329\",\"11289\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11333&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11332\",\"11292\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11299&&&&{"aesFlag":1,"varName":"std_cmdline","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"/BewLdePbTzbt8jB8hW7H+6IOTk4ajiWVsnWbh050ndXaeG2dWTfd8x1KLSiMSsYqmJ7UpHpYBubevn+6vm77urEv0HWYboyNITcRrsLeyvBjTvwQ0ZwM5CDghQDbzGaQArqtnE0k+bJUbMo3EqsyjxbjyrMtRyImECDCq7jOR+53cnUpTFeahjL8HY6I63A"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11332&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11331\",\"11291\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11335&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11334\",\"11294\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11334&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11333\",\"11293\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11337&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11336\",\"11296\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11336&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11335\",\"11295\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10003","type":"script","value":"___compare_10322=equals(b64_cmdline,'');\n___null_10075=null(b64_cmdline);\n___B64_AUTO_10007=B64_AUTO(b64_cmdline);\nif((___compare_10322|_ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10004","type":"script","value":"retainField(k8s_namespace,proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,std_cmdline,cont [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10005","type":"script","value":"__compare_value_10016=!((b64_cmdline,regex,'connect\\({1,3}(#######|~~~~~)127\\.0\\.0\\.1'))\n;__compare_value_10017=!((parent_proc_file_nam [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10003&&&&{"expressionStr":"((b64_cmdline,==,'')|__compare_value_10016)&__compare_value_10017","scriptNames":"[]","expressionName":"11365","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10003","ruleStatus":"0","type":"rule","versio [...]
-dipper.private.blink.rules&&&&express&&&&11364&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11363\",\"__compare_value_10016\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11363&&&&{"aesFlag":1,"varName":"b64_cmdline","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wc8fi0p7qwBHnY1x2c6Qsw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11365&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11364\",\"__compare_value_10017\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10006","type":"script","value":"retainField(k8s_namespace,proc_path,pid,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,std_cmdline,cont [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10007","type":"script","value":"source='netstat_ob';\n___regexp_10612=regex(std_cmdline,'^(((/?([a-zA-Z0-9_\\.\\-]+/){1,20})bin/)|/bin/|/|-)?(bash|sh|dash|ash|tcsh|csh|ksh) [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10008","type":"script","value":"retainField(k8s_namespace,proc_path,pid,source,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline,std_cmdli [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10009","type":"script","value":"source='netstat';\n___lower_cmdline_10102=lower(cmdline);\n___REGEXP_REPLACE_10055=REGEXP_REPLACE(___lower_cmdline_10102,'\\s+',' ');\n___RE [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10010","type":"script","value":"retainField(is_white,k8s_namespace,proc_path,pid,source,dir,proc_start_time,host_uuid,dst_ip,parent_start_time,src_ip,k8s_node_name,cmdline, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10004&&&&{"expressionStr":"is_white,==,double,0","scriptNames":"[]","expressionName":"11366","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_rule_10004","ruleStatus":"0","type":"rule","version":"1.0","extendField":"[]","actionNames":"[] [...]
-dipper.private.blink.rules&&&&express&&&&11366&&&&{"varName":"is_white","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"0.0"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10011","type":"script","value":"uuid=host_uuid;\nali_uid='';\nclient_ip='';\nevent_type='异常网络连接';\nevent_name='反弹shell网络外连';\nlevel='high';\n___cast_11055=cast(cmdline,'str [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10012","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_script_10013","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_sas_linux_alert_netstat_reverse_shell_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrd [...]
-dipper.private.blink.rules&&&&pipline&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"nextStageLables\\\\\\\":\\\\\\\"[\\\\\\\\\\\\\\\"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10001\\\\\\\\\\\\\\\"]\\\\\\\",\\\\\\\"cancelAfterConfigurableRefreshListerner\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\ [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert;json_concat_10027&&&&{"fullClassName":"com.aliyun.sec.lyra.udf.ext.JsonConcat","initMethodName":"open","functionName":"json_concat","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert;json_concat_10027","type":"script", [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert;salt_hash_10003&&&&{"fullClassName":"com.aliyun.sec.lyra.hsh.udf.ext.SaltHash","initMethodName":"open","functionName":"salt_hash","isURL":"false","methodName":"eval","className":"com.aliyun.yundun.dipper.blink.script.udf.BlinkUDFScript","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert;salt_hash_10003","type":"script","ver [...]
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"T_MSG_NETSTAT","syncTimeout":"5000","groupName":"blink_source_aegis_net_adl_sas_apsara [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10001","type":"script","value":"___len_10008=len(dst_ip);\n___lower_proc_path_10004=lower(proc_path);\n___lower_proc_path_10005=lower(proc_path);\n___lower_proc_path_10006=lo [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10001&&&&{"expressionStr":"(((((((((((((((((((((((((((((status,==,'TCP_STATE_ESTABLISHED')&(___len_10008,>,double,9))&(dst_ip,!like,'10.%'))&(dst_ip,!like,'192.168.%'))&(dst_ip,!like,'172.1%'))&(dst_ip,!like,'172.2%'))&(dst_ip,!like,'172.3%'))&(dst_ip,!like,'169.254.%'))&(cmdline,!like,'%/jdk%'))&(cmdline,!like,'%kube%'))&(cmdline,!like,'%-proxy%'))&(cmdline,!like,'%config%'))&(cmdline, [...]
-dipper.private.blink.rules&&&&express&&&&11380&&&&{"aesFlag":1,"varName":"___lower_proc_path_10004","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"bPd623S6p9+IKPQzgj7jqA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11382&&&&{"aesFlag":1,"varName":"___lower_proc_path_10006","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"8ID5+or/oei0n0A6H6LFJA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11381&&&&{"aesFlag":1,"varName":"___lower_proc_path_10005","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"a7G8lVqM8m5MpXv4yM6Sxw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11384&&&&{"aesFlag":1,"varName":"___lower_proc_path_10008","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"St1CoCCEbKkQLulE3uJS8g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11383&&&&{"aesFlag":1,"varName":"___lower_proc_path_10007","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"PA1uuOgNPyGNxqvLTmj65Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11427&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11426\",\"11391\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11426&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11425\",\"11390\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11429&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11428\",\"___!null_10048\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11428&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11427\",\"11392\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11386&&&&{"aesFlag":1,"varName":"___lower_proc_path_10010","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UWCrbTDUfKWSAb52gmiQtQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11385&&&&{"aesFlag":1,"varName":"___lower_proc_path_10009","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"pvtHFcqFW4vZaZY99L38Qg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11388&&&&{"aesFlag":1,"varName":"___lower_proc_path_10012","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"YpHdvBoL8TkWiAMopF0ONQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11421&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11420\",\"11385\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11387&&&&{"aesFlag":1,"varName":"___lower_proc_path_10011","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"BU6BD0E+0voWkMpBALEIKA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11420&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11419\",\"11384\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11423&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11422\",\"11387\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11389&&&&{"aesFlag":1,"varName":"___lower_proc_path_10013","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+RXwIsAQBwC7HHP8mq3kGw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11422&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11421\",\"11386\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11425&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11424\",\"11389\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11424&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11423\",\"11388\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11391&&&&{"aesFlag":1,"varName":"___lower_proc_path_10015","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2rXrGosCjY9Eoo/fh2tmNQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11390&&&&{"aesFlag":1,"varName":"___lower_proc_path_10014","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"+LGAKQAr9naYgnz9L4g2qw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11393&&&&{"aesFlag":1,"varName":"proc_path","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"M7grO0DWTNleGtk17FTQSw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11392&&&&{"aesFlag":1,"varName":"___lower_proc_path_10016","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"p0e7qODAqBvZC7YwC4+dUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11395&&&&{"aesFlag":1,"varName":"proc_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"IPypLhG4WGJOP4nvKQJkUTdGwgZOsTnmJYeu8m72okdynCVkGAXpO9j0B4Vq6UzaLkSC6+yvsOUHb+liRzFr2w=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11394&&&&{"aesFlag":1,"varName":"proc_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zsOmosoNjV3J8o5lspZXPVoLfXXbaN3Qj0t0cTtDsO+BgtgZ49F8dVvPFowl529f1mzFXSLM4VAAXb57g1jGYZZMz2tHyPsK6dABmE7XfNQVwXUgFc7kpdyA1VkTIMxR"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11438&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11436\",\"11437\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11437&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11400\",\"11401\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11439&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11438\",\"11402\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11397&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"TvIgwB7604F//ITo85BhIw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11430&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11429\",\"11393\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11396&&&&{"aesFlag":1,"varName":"cmdline","functionName":"<>","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":""}&&&&null
-dipper.private.blink.rules&&&&express&&&&11399&&&&{"aesFlag":1,"varName":"proc_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"uYyF//VCc6AARu+aqn+bzd/y/GbZnyidJYA6VF802arwHoTvChbKQTu/a98QleBOcZk0kEstJoLJmvRPhWuSuTh+dSDPNBPlqsi3lsOPxEpclTRlSZCoYuvCc++IYPOKDK+BSoNL3BVo2a8l07bgMw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11432&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11396\",\"11397\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11398&&&&{"aesFlag":1,"varName":"proc_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3zhi4QJjswHAFuRJcKjmyPd6jKBPiEeqIPEaVnZbg4+KLfq8s8pwPsMpkb3mDiAeG8zvaQC6XEbpQhd1XtwNDhcLEecZ8x/Ll4PC3mGfjZbk5Fq/u+IU8ljdCAiP6rcJ"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11431&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11430\",\"___!_10081\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11434&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11394\",\"11433\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11433&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11395\",\"11432\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11436&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11435\",\"11399\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11435&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11434\",\"11398\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11405&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11404\",\"11369\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11404&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11367\",\"11368\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11407&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11406\",\"11371\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11406&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11405\",\"11370\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11409&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11408\",\"11373\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11408&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11407\",\"11372\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11441&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11431\",\"11440\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11440&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11439\",\"11403\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11368&&&&{"varName":"___len_10008","functionName":">","fieldFlag":false,"dataType":"{\"className\":\"java.lang.Double\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"9.0"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11401&&&&{"aesFlag":1,"varName":"proc_path","functionName":"like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"L185Aioyc9BQCz0KBWnP4Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11367&&&&{"aesFlag":1,"varName":"status","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"mBo8DRi0jqLEUMAk3fPIkEAFxUrWkYtflRV52aAcmFs="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11400&&&&{"aesFlag":1,"varName":"proc_path","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LKyatoBKYggsg12A2XP6Rw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11403&&&&{"aesFlag":1,"varName":"proc_path","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"rh+ZjYZrKxl0QJnnmQMT0OGOd5ll/Q3OE6zVk1JisdtdPZFXL2VaTxvd9DJALkHPp63cT4WML2XGOlUD5NutNqluIPk11+AXbHhVO5DWXYxIyoa8zspQBX6tswytMFABBcbZZyDceUF9B/YTsZyEGmJt01vyJZyRIxFF8gYmNPChJCcpvhM5kYIpLceNfzk/iau7xJsdPENSzvDANQL4m/s8jLr0THmXAgwP1wx [...]
-dipper.private.blink.rules&&&&express&&&&11369&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"XsTI7crBOHY734eWxoY/qA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11402&&&&{"aesFlag":1,"varName":"proc_path","functionName":"regex","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"b20///b7od4W7KkQGuFdT3cHr44lJrhI3X1z8Cq1Bs5ZRX7eO0Bo5M6GOfU/kIC8XVajVzXlXnnFIoiNkNPQ1gzmrSsgq0G8UG9xF5kVYxfaHxST6lCqCillaz32KQgieMlR3vtfKiaL6Go4A2ioKw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11371&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"wGyK3zHJFe7jFO91U8ICMw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11370&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LBXZ3QrQBCl9c4prF0Z32Q=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11373&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JR3F6m8Pp+PN2+wGtruNqg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11372&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"LsYOeVl0Z98oLKV0r9DUQQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11416&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11415\",\"11380\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11415&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11414\",\"11379\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11418&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11417\",\"11382\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11417&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11416\",\"11381\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11419&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11418\",\"11383\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11375&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"UWToOwPPb4g69jkG3iOP+g=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11374&&&&{"aesFlag":1,"varName":"dst_ip","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"7wRHqLNV+Tl7yWTGrn3peA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11377&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"KkN8/qSKzeLSLvMNjYf8WQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11410&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11409\",\"11374\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11376&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"xaum6KaJlG40DBtZRhY7rg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11379&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"zPJajGmrdtnl6YvUdxRjQA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11412&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11411\",\"11376\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11378&&&&{"aesFlag":1,"varName":"cmdline","functionName":"!like","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"vKn74iKokQGtNLyYt8PwVg=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11411&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11410\",\"11375\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11414&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11413\",\"11378\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11413&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11412\",\"11377\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10002&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10002","type":"script","value":"uuid=host_uuid;\n___lower_proc_path_10018=lower(proc_path);\nproc_path=___lower_proc_path_10018;rm('___lower_proc_path_10018');\nproc_time=sca [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10003&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10003","type":"script","value":"retainField(src_ip,cmdline,proc_path,dst_port,pid,uuid,proc_time,dst_ip,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10004&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10004","type":"script","value":"retainField(src_ip,cmdline,proc_path,dst_port,pid,uuid,proc_time,dst_ip,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10005&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10005","type":"script","value":"client_ip=src_ip;\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10006&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10006","type":"script","value":"retainField(cmdline,proc_path,dst_port,client_ip,pid,uuid,proc_time,dst_ip,ppid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10007&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10007","type":"script","value":"___SALT_HASH_10003=SALT_HASH(dst_ip);;","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&dataSource&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_dataSource_10001&&&&{"className":"com.aliyun.yundun.dipper.configurable.http.resource.JDBCDataSource","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_dataSource_10001","userName":"xxxxxxxxxx","type":"dataSource","version":"1.0","url":"intelligence.rds.jdbc.url","timeout":"30000","activtyTimeOut":"3000","password":"xxxxxxxxx","isAutoFlush":"false","outputThr [...]
-dipper.private.blink.rules&&&&intelligence&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_intelligence_10001&&&&{"className":"com.aliyun.filter.intelligence.IPIntelligenceCache","pollingTimeMintue":"30","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_intelligence_10001","idFieldName":"id","batchSize":"3000","datasourceName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_dataSource_10001"," [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10008&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10008","type":"script","value":"intelligence('dipper.private.blink.rules','blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_intelligence_10001',___SALT_HASH_10003, [...]
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10002&&&&{"expressionStr":"(p.ip,!in,'\\'118.190.90.134\\',\\'101.132.192.134\\'')&(((((p.is_3rd,==,'1')|(p.is_c2,==,'1'))|(p.is_tor,==,'1'))|(p.is_mining_pool,==,'1'))|(p.is_malicious_source,==,'1'))","scriptNames":"[]","expressionName":"11452","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blin [...]
-dipper.private.blink.rules&&&&express&&&&11449&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11448\",\"11445\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11448&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11443\",\"11444\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11450&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11449\",\"11446\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11452&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11442\",\"11451\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11451&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11450\",\"11447\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11443&&&&{"aesFlag":1,"varName":"p.is_3rd","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11442&&&&{"aesFlag":1,"varName":"p.ip","functionName":"!in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"3XsN7bjYH29AxCpN+9V+tgnyB8FflSqdNfVWv5iXBDtBVE0vLLQUDH1U8MyALVbI"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11445&&&&{"aesFlag":1,"varName":"p.is_tor","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11444&&&&{"aesFlag":1,"varName":"p.is_c2","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11447&&&&{"aesFlag":1,"varName":"p.is_malicious_source","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11446&&&&{"aesFlag":1,"varName":"p.is_mining_pool","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"2vQJrhr8/lZ2HEw+NK0Glw=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10009&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10009","type":"script","value":"is_3rd=p.is_3rd;\nis_tor=p.is_tor;\nis_c2=p.is_c2;\nis_malicious_source=p.is_malicious_source;\nis_mining_pool=p.is_mining_pool;\nretainField( [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10010&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10010","type":"script","value":"___null_10076=null(is_3rd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10003&&&&{"expressionStr":"(is_malicious_source,in,'\\'1\\'')&((is_3rd,in,'\\'0\\'')|___null_10076)","scriptNames":"[]","expressionName":"11456","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10003","ruleStatus":"0","type":"rule","v [...]
-dipper.private.blink.rules&&&&express&&&&11454&&&&{"aesFlag":1,"varName":"is_3rd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JYRSmU5cpZWdyekvHqdfVw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11453&&&&{"aesFlag":1,"varName":"is_malicious_source","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11456&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11453\",\"11455\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11455&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11454\",\"___null_10076\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10011&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10011","type":"script","value":"ali_uid='-';\nevent_type='威胁情报';\nevent_name='访问恶意IP(恶意下载源)';\nlevel='high';\n___cast_11087=cast(dst_ip,'string');\n___cast_11088=cast(dst_por [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10012&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10012","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10001&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10001","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10013&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10013","type":"script","value":"___null_10077=null(is_3rd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10004&&&&{"expressionStr":"(is_tor,in,'\\'1\\'')&((is_3rd,in,'\\'0\\'')|___null_10077)","scriptNames":"[]","expressionName":"11460","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10004","ruleStatus":"0","type":"rule","version":"1.0" [...]
-dipper.private.blink.rules&&&&express&&&&11459&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11458\",\"___null_10077\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11460&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11457\",\"11459\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11458&&&&{"aesFlag":1,"varName":"is_3rd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JYRSmU5cpZWdyekvHqdfVw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11457&&&&{"aesFlag":1,"varName":"is_tor","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10014&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10014","type":"script","value":"ali_uid='-';\nevent_type='威胁情报';\nevent_name='访问恶意IP(暗网通信)';\nlevel='high';\n___cast_11093=cast(dst_ip,'string');\n___cast_11094=cast(dst_port [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10015&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10015","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10002&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10002","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10016&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10016","type":"script","value":"___null_10078=null(is_3rd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10005&&&&{"expressionStr":"(is_c2,in,'\\'1\\'')&((is_3rd,in,'\\'0\\'')|___null_10078)","scriptNames":"[]","expressionName":"11464","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10005","ruleStatus":"0","type":"rule","version":"1.0", [...]
-dipper.private.blink.rules&&&&express&&&&11461&&&&{"aesFlag":1,"varName":"is_c2","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11463&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11462\",\"___null_10078\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11462&&&&{"aesFlag":1,"varName":"is_3rd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JYRSmU5cpZWdyekvHqdfVw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11464&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11461\",\"11463\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10017&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10017","type":"script","value":"ali_uid='-';\nevent_type='威胁情报';\nevent_name='访问恶意IP(中控通信)';\nlevel='high';\n___cast_11099=cast(dst_ip,'string');\n___cast_11100=cast(dst_port [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10018&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10018","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10003&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10003","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10019&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10019","type":"script","value":"___null_10079=null(is_3rd);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10006&&&&{"expressionStr":"(is_mining_pool,in,'\\'1\\'')&((is_3rd,in,'\\'0\\'')|___null_10079)","scriptNames":"[]","expressionName":"11468","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10006","ruleStatus":"0","type":"rule","versio [...]
-dipper.private.blink.rules&&&&express&&&&11465&&&&{"aesFlag":1,"varName":"is_mining_pool","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11467&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11466\",\"___null_10079\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11466&&&&{"aesFlag":1,"varName":"is_3rd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"JYRSmU5cpZWdyekvHqdfVw=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11468&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11465\",\"11467\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10020&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10020","type":"script","value":"ali_uid='-';\nevent_type='威胁情报';\nevent_name='访问恶意IP(矿池通信)';\nlevel='high';\n___cast_11105=cast(dst_ip,'string');\n___cast_11106=cast(dst_port [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10021&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10021","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10004&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10004","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10022&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10022","type":"script","value":"___null_10080=null(is_c2);\n___null_10081=null(is_tor);\n___null_10082=null(is_mining_pool);\n","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&rule&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_rule_10007&&&&{"expressionStr":"(((is_3rd,in,'\\'1\\'')&((is_c2,==,'0')|___null_10080))&((is_tor,==,'0')|___null_10081))&((is_mining_pool,==,'0')|___null_10082)","scriptNames":"[]","expressionName":"11478","varNames":"[]","className":"com.aliyun.filter.processor.FilterMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligenc [...]
-dipper.private.blink.rules&&&&express&&&&11470&&&&{"aesFlag":1,"varName":"is_c2","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4ROl+e4g5JZAI9EFfD9CUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11472&&&&{"aesFlag":1,"varName":"is_mining_pool","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4ROl+e4g5JZAI9EFfD9CUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11471&&&&{"aesFlag":1,"varName":"is_tor","functionName":"==","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"4ROl+e4g5JZAI9EFfD9CUQ=="}&&&&null
-dipper.private.blink.rules&&&&express&&&&11474&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11469\",\"11473\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11473&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11470\",\"___null_10080\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11476&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11474\",\"11475\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11475&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11471\",\"___null_10081\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11478&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11476\",\"11477\"]","relation":"and"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11477&&&&{"fieldFlag":false,"dataType":"{\"className\":\"java.util.List\",\"genericParameter\":\"java.util.List<java.lang.String>\"}","className":"com.aliyun.filter.rules.expression.RelationExpression","keyword":"","value":"[\"11472\",\"___null_10082\"]","relation":"or"}&&&&null
-dipper.private.blink.rules&&&&express&&&&11469&&&&{"aesFlag":1,"varName":"is_3rd","functionName":"in","fieldFlag":false,"dataType":"{\"className\":\"java.lang.String\"}","className":"com.aliyun.filter.rules.expression.SimpleExpression","keyword":"","value":"jUdckUKzQ+H+FRkCrZ4LEA=="}&&&&null
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10023&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10023","type":"script","value":"ali_uid='-';\nevent_type='威胁情报';\nevent_name='访问恶意IP(公开情报)';\nlevel='high';\n___cast_11111=cast(dst_ip,'string');\n___cast_11112=cast(dst_port [...]
-dipper.private.blink.rules&&&&script&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10024&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_script_10024","type":"script","value":"retainField(gmt_create,ali_uid,event_type,level,event_name,client_ip,ext_content,gmt_modified,uuid);","version":"1.0","extendField":"[]"}&&&&null
-dipper.private.blink.rules&&&&channel&&&&blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10005&&&&{"isJsonData":"true","project":"k8sblink","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"blink_source_aegis_net_adl_sas_apsara_intelligence_ip_alert_channel_10005","type":"channel","timeout":"30000","accessId":"replace_accessId_all","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder [...]
-dipper.private.blink.rules&&&&pipline&&&&blink.source.aegis.net&&&&{"isAutoStart":"false","stages":"[\"{\\\"className\\\":\\\"com.aliyun.yundun.dipper.common.pipline.ScriptChainStage\\\",\\\"configurable_value\\\":\\\"{\\\\\\\"prewStageLables\\\\\\\":\\\\\\\"[]\\\\\\\",\\\\\\\"closeSplitMode\\\\\\\":\\\\\\\"false\\\\\\\",\\\\\\\"entityName\\\\\\\":\\\\\\\"script\\\\\\\",\\\\\\\"scriptName\\\\\\\":\\\\\\\"blink.source.aegis.net_script_10001\\\\\\\",\\\\\\\"lable\\\\\\\":\\\\\\\"blink.sour [...]
-dipper.private.blink.rules&&&&channel&&&&blink.source.aegis.net;channel&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"12","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"blink.source.aegis.net;channel","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"blink.source.aegis.net.tags","syncTimeout":"5000","groupName":"blink.source.aegis.net.group","isBatchMessage":"true","isAutoFlush":"false","max [...]
-dipper.private.blink.rules&&&&script&&&&blink.source.aegis.net_script_10001&&&&{"className":"com.aliyun.yundun.dipper.script.script.ScriptMessageProcessor","nameSpace":"dipper.private.blink.rules","configureName":"blink.source.aegis.net_script_10001","type":"script","value":"logContent=data;logTime=now();splitArray('logContent');scan_time=time;cmdline=proc_cmdline;parent_proc_file_name=pfilename;parent_start_time=pstime;___compare_10001=equals(status,'0');___compare_10002=equals(status,' [...]
-dipper.private.blink.rules&&&&channel&&&&out.mock.switch_print&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.common.resource.channel.OutputTestChannel","configureName":"out.mock.switch_print","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","maxFetchLogGroupSize":"100","topic":"","syncCount":"1000","outputThreadCount":"-1","name [...]
-dipper.private.blink.rules&&&&channel&&&&out.mock.switch_sls&&&&{"isJsonData":"true","project":"out.mock.sls.project","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.SLSChannel","configureName":"out.mock.switch_sls","type":"channel","timeout":"30000","accessId":"out.mock.sls.accessId","syncTimeout":"5000","isBatchMessage":"false","isAutoFlush":"false","consumeInOrder":"true","maxFetchLogGroupSize":"100","syncCount":"1000","nameSpace":"dipper.private.blink.rule [...]
-dipper.private.blink.rules&&&&channel&&&&out.mock.switch_metaq&&&&{"offset":"0","isJsonData":"true","maxThread":"12","concurrentCount":"1","className":"com.aliyun.yundun.dipper.channel.adapter.MetaqChannel","configureName":"out.mock.switch_metaq","type":"channel","version":"1.0","timeout":"30000","activtyTimeOut":"3000","tags":"out.mock.metaq.tag","syncTimeout":"5000","isBatchMessage":"true","isAutoFlush":"false","maxFetchLogGroupSize":"100","topic":"out.mock.metaq.topic","syncCount":"10 [...]
diff --git a/rocketmq-streams-window/target/classes/dipper.properties b/rocketmq-streams-window/target/classes/dipper.properties
deleted file mode 100644
index c4591e4..0000000
--- a/rocketmq-streams-window/target/classes/dipper.properties
+++ /dev/null
@@ -1,21 +0,0 @@
-
-##如果是db类型,需要配置db连接信息
-dipper.rds.jdbc.password=xxxxxxx
-dipper.rds.jdbc.url=xxxxxx
-dipper.rds.jdbc.username=xxxxxx
-dipper.rds.table.name=dipper_sql_configure
-
-
-#window 异步消息分发需要的消息队列类型
-dipper.window.shuffle.rocketmq.dispatch.channel.type=rocketmq
-#如果是metaq,统计和join分别用的topoc
-dipper.window.shuffle.rocketmq.dispatch.channel.topic=TOPIC_DIPPER_WINDOW_STATISTICS
-#动态生成的消息队列的属性的key值,这个值会被动态赋值
-dipper.window.shuffle.rocketmq.dispatch.channel.dynamic.property=tag
-dipper.window.shuffle.rocketmq.dispatch.channel.thread.max.count=4
-dipper.window.shuffle.rocketmq.dispatch.channel.accessKey=XXX
-dipper.window.shuffle.rocketmq.dispatch.channel.secretKey=XXX
-dipper.window.shuffle.rocketmq.dispatch.channel.instanceId=xxxxxx
-dipper.window.shuffle.rocketmq.dispatch.channel.group=GID_dipper_shuffle_group
-dipper.window.shuffle.rocketmq.dispatch.channel.namesrvAddr=xxxxx
-dipper.window.shuffle.rocketmq.dispatch.channel.endpoint=xxxxxx
\ No newline at end of file
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/builder/WindowBuilder.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/builder/WindowBuilder.class
deleted file mode 100644
index acb24ce..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/builder/WindowBuilder.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/FunctionExecutor.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/FunctionExecutor.class
deleted file mode 100644
index 0dd3fb4..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/FunctionExecutor.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowCache.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowCache.class
deleted file mode 100644
index e077c40..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowCache.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowInstance.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowInstance.class
deleted file mode 100644
index 2b577a9..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/model/WindowInstance.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/IWindowMaxValueManager.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/IWindowMaxValueManager.class
deleted file mode 100644
index 18f5cc3..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/IWindowMaxValueManager.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValue.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValue.class
deleted file mode 100644
index e57f3b2..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValue.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValueManager.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValueManager.class
deleted file mode 100644
index cb18860..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/offset/WindowMaxValueManager.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractShuffleWindow.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractShuffleWindow.class
deleted file mode 100644
index 56e53f9..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractShuffleWindow.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow$1.class
deleted file mode 100644
index f64162f..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow.class
deleted file mode 100644
index 806e74d..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/AbstractWindow.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/OverWindow.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/OverWindow.class
deleted file mode 100644
index ece1532..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/OverWindow.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/SessionWindow.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/SessionWindow.class
deleted file mode 100644
index 563f84b..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/SessionWindow.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$1.class
deleted file mode 100644
index 4da797b..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$WindowRowOperator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$WindowRowOperator.class
deleted file mode 100644
index 5a0dceb..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator$WindowRowOperator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator.class
deleted file mode 100644
index c2d4f11..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/impl/WindowOperator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/DBOperator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/DBOperator.class
deleted file mode 100644
index eefe6c1..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/DBOperator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$1.class
deleted file mode 100644
index c23b4b3..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$2.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$2.class
deleted file mode 100644
index d47b70b..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow$2.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow.class
deleted file mode 100644
index 1708b94..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/JoinWindow.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/Operator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/Operator.class
deleted file mode 100644
index d68f4de..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/operator/join/Operator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/AbstractSystemChannel.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/AbstractSystemChannel.class
deleted file mode 100644
index 163f25a..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/AbstractSystemChannel.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel$ShuffleOutputDataSource.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel$ShuffleOutputDataSource.class
deleted file mode 100644
index 46a0202..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel$ShuffleOutputDataSource.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel.class
deleted file mode 100644
index 6a536a0..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/shuffle/ShuffleChannel.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1$1.class
deleted file mode 100644
index ca22ccd..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1.class
deleted file mode 100644
index 8801c36..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1$1.class
deleted file mode 100644
index 221bcf3..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1.class
deleted file mode 100644
index e6c1681..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache.class
deleted file mode 100644
index e38b444..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource$WindowInstanceCache.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource.class
deleted file mode 100644
index 0952230..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/source/WindowRireSource.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/WindowBaseValue.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/WindowBaseValue.class
deleted file mode 100644
index 46a3e50..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/WindowBaseValue.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinLeftState.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinLeftState.class
deleted file mode 100644
index c3076fc..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinLeftState.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinRightState.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinRightState.class
deleted file mode 100644
index 559661e..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinRightState.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinState.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinState.class
deleted file mode 100644
index 5d30166..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/JoinState.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue$1.class
deleted file mode 100644
index 0040abe..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue.class
deleted file mode 100644
index 2a47cd2..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/state/impl/WindowValue.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage$1.class
deleted file mode 100644
index 11756bf..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage.class
deleted file mode 100644
index 32c7fda..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/AbstractWindowStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ICommonStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ICommonStorage.class
deleted file mode 100644
index d62d93d..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ICommonStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IKeyGenerator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IKeyGenerator.class
deleted file mode 100644
index a17eea8..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IKeyGenerator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IShufflePartitionManager.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IShufflePartitionManager.class
deleted file mode 100644
index 9d6f3a0..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IShufflePartitionManager.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IStorage.class
deleted file mode 100644
index 2dfe78d..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IWindowStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IWindowStorage.class
deleted file mode 100644
index 9e35799..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/IWindowStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ShufflePartitionManager.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ShufflePartitionManager.class
deleted file mode 100644
index 764fac2..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/ShufflePartitionManager.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/StorageManager.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/StorageManager.class
deleted file mode 100644
index b60e1e4..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/StorageManager.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$1.class
deleted file mode 100644
index 788adb8..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$WindowBaseValueIterator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$WindowBaseValueIterator.class
deleted file mode 100644
index 0e4d4d1..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage$WindowBaseValueIterator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage.class
deleted file mode 100644
index fd05d39..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/WindowStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$1.class
deleted file mode 100644
index e6cc378..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$DBIterator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$DBIterator.class
deleted file mode 100644
index 171639e..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage$DBIterator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage.class
deleted file mode 100644
index 274b33a..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/db/DBStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage$1.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage$1.class
deleted file mode 100644
index de1e604..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage$1.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage.class
deleted file mode 100644
index 0858297..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/file/FileStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage$LocalIterator.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage$LocalIterator.class
deleted file mode 100644
index 8f6d7d0..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage$LocalIterator.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage.class b/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage.class
deleted file mode 100644
index 05ea41b..0000000
Binary files a/rocketmq-streams-window/target/classes/org/apache/rocketmq/streams/window/storage/rocksdb/RocksdbStorage.class and /dev/null differ
diff --git a/rocketmq-streams-window/target/maven-archiver/pom.properties b/rocketmq-streams-window/target/maven-archiver/pom.properties
deleted file mode 100644
index 02202d4..0000000
--- a/rocketmq-streams-window/target/maven-archiver/pom.properties
+++ /dev/null
@@ -1,5 +0,0 @@
-#Generated by Maven
-#Fri Jul 30 11:10:37 CST 2021
-version=2.0.0-SNAPSHOT
-groupId=org.apache.rocketmq
-artifactId=rocketmq-streams-window
diff --git a/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT-sources.jar b/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT-sources.jar
deleted file mode 100644
index 3630c77..0000000
Binary files a/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT-sources.jar and /dev/null differ
diff --git a/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT.jar b/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT.jar
deleted file mode 100644
index ba5a783..0000000
Binary files a/rocketmq-streams-window/target/rocketmq-streams-window-2.0.0-SNAPSHOT.jar and /dev/null differ
diff --git a/rocketmq-streams-window/target/test-classes/log4j.xml b/rocketmq-streams-window/target/test-classes/log4j.xml
deleted file mode 100644
index 7812fe7..0000000
--- a/rocketmq-streams-window/target/test-classes/log4j.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!DOCTYPE log4j:configuration SYSTEM "http://toolkit.alibaba-inc.com/dtd/log4j/log4j.dtd">
-<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
-
- <appender name="Console" class="org.apache.log4j.ConsoleAppender">
- <layout class="org.apache.log4j.PatternLayout">
- <param name="ConversionPattern" value="%d{ISO8601} %l [%t] %-5p - %m%n%n"/>
- </layout>
- <filter class="org.apache.log4j.varia.LevelRangeFilter">
- <param name="LevelMin" value="INFO"/>
- <param name="LevelMax" value="ERROR"/>
- </filter>
- </appender>
-
- <root>
- <priority value="INFO"/>
- <appender-ref ref="Console"/>
- </root>
-
-</log4j:configuration>
\ No newline at end of file