diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 013d9434e3bc..8662a14981e0 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -6297,6 +6297,8 @@ ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host -- type: long +format: duration + Uptime in nanoseconds. diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 6beccd87139d..a3c905d1b18e 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -83,6 +83,7 @@ INTEGRATION_TESTS?= FIND?=. ${PYTHON_ENV}/bin/activate; find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*" PERM_EXEC?=$(shell [ `uname -s` = "Darwin" ] && echo "+111" || echo "/a+x") XPACK_ONLY?=false +XPACK_DIR=${ES_BEATS}/x-pack/${BEAT_NAME} ifeq ($(DOCKER_CACHE),0) DOCKER_NOCACHE=--no-cache @@ -364,7 +365,11 @@ endif .PHONY: docs docs: ## @build Builds the documents for the beat - sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR} + @if [ -d $(XPACK_DIR) ]; then \ + sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR} ${XPACK_DIR}; \ + else \ + sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR}; \ + fi .PHONY: docs-preview docs-preview: ## @build Preview the documents for the beat in the browser diff --git a/script/build_docs.sh b/script/build_docs.sh index d53f570d9395..a9fd012d30cc 100755 --- a/script/build_docs.sh +++ b/script/build_docs.sh @@ -5,6 +5,7 @@ set -e name=$1 path=$2 build_dir=$3 +resource_dir=$4 docs_dir=$build_dir/docs html_dir=$build_dir/html_docs @@ -29,7 +30,12 @@ do mkdir -p "$dest_dir" params="--chunk=1" if [ "$PREVIEW" = "1" ]; then - params="--chunk=1 -open chunk=1 -open" + params="$params -open" fi + + if [ -d "$resource_dir" ]; then + params="$params -resource=${resource_dir}" + fi + $docs_dir/build_docs.pl $params --doc "$index" -out "$dest_dir" done diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png new file mode 100644 index 000000000000..6e4398c735ee Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png new file mode 100644 index 000000000000..f090b6bcb3cf Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png new file mode 100644 index 000000000000..d298e903cc00 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png new file mode 100644 index 000000000000..3aefadc476a3 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png new file mode 100644 index 000000000000..bb1d6a547e82 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png new file mode 100644 index 000000000000..823a327b1170 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png new file mode 100644 index 000000000000..d502c5fb4cf4 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png differ diff --git a/x-pack/auditbeat/docs/modules/system.asciidoc b/x-pack/auditbeat/docs/modules/system.asciidoc index d6f902d07df7..0780f3614634 100644 --- a/x-pack/auditbeat/docs/modules/system.asciidoc +++ b/x-pack/auditbeat/docs/modules/system.asciidoc @@ -36,6 +36,14 @@ All datasets are currently using a poll model to retrieve their data. The frequency of these polls is controlled by the `period` configuration parameter. +[float] +==== Example dashboard + +The module comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-overview-dashboard.png[Auditbeat System Overview Dashboard] + [float] === Configuration options diff --git a/x-pack/auditbeat/module/system/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/_meta/docs.asciidoc index 55614c4d69fd..cafbf5d4e8db 100644 --- a/x-pack/auditbeat/module/system/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/_meta/docs.asciidoc @@ -31,6 +31,14 @@ All datasets are currently using a poll model to retrieve their data. The frequency of these polls is controlled by the `period` configuration parameter. +[float] +==== Example dashboard + +The module comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-overview-dashboard.png[Auditbeat System Overview Dashboard] + [float] === Configuration options diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-host-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-host-dashboard.json new file mode 100644 index 000000000000..edd1f575b1f7 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-host-dashboard.json @@ -0,0 +1,829 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Hosts", + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Host Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-03T20:37:18.796Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "system.audit.host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "system.audit.host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.audit.host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:37:35.796Z", + "version": 24 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Average Uptime [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Average Uptime in days", + "field": "system.audit.host.uptime" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Average Uptime [Auditbeat System]", + "type": "metric" + } + }, + "id": "4d0485f0-18da-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:57:55.023Z", + "version": 23 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Documents [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Host States" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Host States" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Host States" + }, + "type": "value" + } + ] + }, + "title": "Host Documents [Auditbeat System]", + "type": "histogram" + } + }, + "id": "eea92ad0-18d7-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-04T09:26:47.877Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host List [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 1, + "direction": "asc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hostname", + "field": "system.audit.host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "aggregate": "max", + "customLabel": "Uptime (days)", + "field": "system.audit.host.uptime", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "3", + "params": { + "aggregate": "concat", + "customLabel": "OS", + "field": "system.audit.host.os.name", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "4", + "params": { + "aggregate": "concat", + "customLabel": "Version", + "field": "system.audit.host.os.version", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "1", + "params": { + "aggregate": "concat", + "customLabel": "Host ID", + "field": "system.audit.host.id", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "6", + "params": { + "aggregate": "concat", + "customLabel": "Status", + "field": "message", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Host List [Auditbeat System]", + "type": "table" + } + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:58:22.519Z", + "version": 25 + }, + { + "attributes": { + "columns": [ + "system.audit.host.hostname", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "dfce2b60-18c7-11e9-9094-c50574723088", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Host Events [Auditbeat System]", + "version": 1 + }, + "id": "abe78cd0-18ca-11e9-9094-c50574723088", + "type": "search", + "updated_at": "2019-02-04T09:31:20.533Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Hosts", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 15, + "x": 0, + "y": 4 + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 17, + "x": 31, + "y": 4 + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 16, + "x": 15, + "y": 4 + }, + "id": "4d0485f0-18da-11e9-9094-c50574723088", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "5", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "eea92ad0-18d7-11e9-9094-c50574723088", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "6", + "w": 48, + "x": 0, + "y": 21 + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "7", + "w": 48, + "x": 0, + "y": 33 + }, + "id": "abe78cd0-18ca-11e9-9094-c50574723088", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "8", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Host Dashboard", + "version": 1 + }, + "id": "dfe62590-18da-11e9-9094-c50574723088", + "type": "dashboard", + "updated_at": "2019-02-04T11:25:58.146Z", + "version": 28 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-login-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-login-dashboard.json new file mode 100644 index 000000000000..4125daa9159a --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-login-dashboard.json @@ -0,0 +1,931 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Login Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Login Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:44:50.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:04:51.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success", + "type": "phrase" + }, + "type": "phrase", + "value": "success" + }, + "query": { + "match": { + "event.outcome": { + "query": "success", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Success Table [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Successful Logins" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Login Success Table [Auditbeat System]", + "type": "table" + } + }, + "id": "5eb5f250-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:22:44.444Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure", + "type": "phrase" + }, + "type": "phrase", + "value": "failure" + }, + "query": { + "match": { + "event.outcome": { + "query": "failure", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Failures Table [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Failed Logins" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Login Failures Table [Auditbeat System]", + "type": "table" + } + }, + "id": "a1951650-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:24:11.445Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Login Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "e4d25fe0-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:26:04.254Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "user.name", + "event.outcome", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Login Events [Auditbeat System]", + "version": 1 + }, + "id": "2e04c720-285f-11e9-805f-43bf57dfa519", + "type": "search", + "updated_at": "2019-02-04T09:28:07.058Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Login OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "e8eb58a0-2860-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:40:30.122Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Logins", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 10, + "x": 8, + "y": 4 + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 10, + "x": 28, + "y": 4 + }, + "id": "5eb5f250-285e-11e9-805f-43bf57dfa519", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "5", + "w": 10, + "x": 38, + "y": 4 + }, + "id": "a1951650-285e-11e9-805f-43bf57dfa519", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "6", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "e4d25fe0-285e-11e9-805f-43bf57dfa519", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "7", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "2e04c720-285f-11e9-805f-43bf57dfa519", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "8", + "w": 10, + "x": 18, + "y": 4 + }, + "id": "e8eb58a0-2860-11e9-805f-43bf57dfa519", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "9", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Login Dashboard", + "version": 1 + }, + "id": "2a17f200-285e-11e9-805f-43bf57dfa519", + "type": "dashboard", + "updated_at": "2019-02-04T11:38:50.007Z", + "version": 6 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-overview-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-overview-dashboard.json new file mode 100644 index 000000000000..3d43f14b2bdb --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-overview-dashboard.json @@ -0,0 +1,2361 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Hosts", + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Host Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-03T20:37:18.796Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Processes", + "field": "process.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:24:39.030Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sockets", + "field": "socket.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Socket Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:29:47.881Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Users", + "field": "user.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:35:48.640Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Packages", + "field": "system.audit.package.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:40:37.585Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Login Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Login Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:44:50.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "system.audit.host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "system.audit.host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.audit.host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:37:35.796Z", + "version": 24 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:04:51.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "User Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:38:11.314Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_started", + "type": "phrase" + }, + "type": "phrase", + "value": "process_started" + }, + "query": { + "match": { + "event.action": { + "query": "process_started", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Starts [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Started" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Starts [Auditbeat System]", + "type": "metric" + } + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:45:42.195Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_stopped", + "type": "phrase" + }, + "type": "phrase", + "value": "process_stopped" + }, + "query": { + "match": { + "event.action": { + "query": "process_stopped", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Stops [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Stopped" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Stops [Auditbeat System]", + "type": "metric" + } + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:50:28.750Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_opened", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_opened" + }, + "query": { + "match": { + "event.action": { + "query": "socket_opened", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Opened [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Opened" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Opened [Auditbeat System]", + "type": "metric" + } + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:47:58.605Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_closed", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_closed" + }, + "query": { + "match": { + "event.action": { + "query": "socket_closed", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Closed [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Closed" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Closed [Auditbeat System]", + "type": "metric" + } + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:48:58.668Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_package", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_package" + }, + "query": { + "match": { + "event.action": { + "query": "existing_package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T10:44:06.826Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "System Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "System Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "54135e50-27ff-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-03T22:01:59.221Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host List [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 1, + "direction": "asc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hostname", + "field": "system.audit.host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "aggregate": "max", + "customLabel": "Uptime (days)", + "field": "system.audit.host.uptime", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "3", + "params": { + "aggregate": "concat", + "customLabel": "OS", + "field": "system.audit.host.os.name", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "4", + "params": { + "aggregate": "concat", + "customLabel": "Version", + "field": "system.audit.host.os.version", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "1", + "params": { + "aggregate": "concat", + "customLabel": "Host ID", + "field": "system.audit.host.id", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "6", + "params": { + "aggregate": "concat", + "customLabel": "Status", + "field": "message", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Host List [Auditbeat System]", + "type": "table" + } + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:58:22.519Z", + "version": 25 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "event.dataset", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "System Events [Auditbeat System]", + "version": 1 + }, + "id": "d08ebd30-27ff-11e9-805f-43bf57dfa519", + "type": "search", + "updated_at": "2019-02-03T22:17:10.090Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "Overview of System Information.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Host", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Login", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "User", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Process", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Socket", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Package", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "2", + "w": 8, + "x": 24, + "y": 4 + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "3", + "w": 8, + "x": 32, + "y": 4 + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "4", + "w": 8, + "x": 16, + "y": 4 + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5", + "w": 8, + "x": 40, + "y": 4 + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 8, + "x": 8, + "y": 4 + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "8", + "w": 8, + "x": 0, + "y": 12 + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "9", + "w": 8, + "x": 8, + "y": 12 + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "10", + "w": 8, + "x": 16, + "y": 12 + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "panelIndex": "10", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "11", + "w": 8, + "x": 24, + "y": 12 + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "11", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "12", + "w": 8, + "x": 24, + "y": 19 + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "12", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "13", + "w": 8, + "x": 32, + "y": 12 + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "13", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "14", + "w": 8, + "x": 32, + "y": 19 + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "14", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "15", + "w": 8, + "x": 40, + "y": 12 + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "panelIndex": "15", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "16", + "w": 48, + "x": 0, + "y": 26 + }, + "id": "54135e50-27ff-11e9-805f-43bf57dfa519", + "panelIndex": "16", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "17", + "w": 24, + "x": 0, + "y": 34 + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "panelIndex": "17", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "18", + "w": 24, + "x": 24, + "y": 34 + }, + "id": "d08ebd30-27ff-11e9-805f-43bf57dfa519", + "panelIndex": "18", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "19", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "19", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] System Overview", + "version": 1 + }, + "id": "2be46cb0-27f2-11e9-89af-fd12d59dac90", + "type": "dashboard", + "updated_at": "2019-02-04T09:32:32.325Z", + "version": 9 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-package-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-package-dashboard.json new file mode 100644 index 000000000000..46dcaf1f714c --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-package-dashboard.json @@ -0,0 +1,919 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Packages", + "field": "system.audit.package.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:40:37.585Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_package", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_package" + }, + "query": { + "match": { + "event.action": { + "query": "existing_package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T10:44:06.826Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Package OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Package OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "6ed51940-2868-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:34:21.268Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Change Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Package Change Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "fe23f530-2868-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:38:21.699Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Document Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Package Document Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "4e7701d0-2869-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:40:36.461Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Package Documents [Auditbeat System]", + "version": 1 + }, + "id": "391ef230-2868-11e9-9d21-0be348776e6c", + "type": "search", + "updated_at": "2019-02-04T10:32:51.155Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Names [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.audit.package.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 5, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Package Names [Auditbeat System]", + "type": "table" + } + }, + "id": "8dc55df0-2869-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:45:22.440Z", + "version": 2 + }, + { + "attributes": { + "description": "System Packages", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "1", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "2", + "w": 6, + "x": 0, + "y": 4 + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "3", + "w": 5, + "x": 6, + "y": 4 + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "4", + "w": 13, + "x": 24, + "y": 4 + }, + "id": "6ed51940-2868-11e9-9d21-0be348776e6c", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "5", + "w": 13, + "x": 11, + "y": 4 + }, + "id": "fe23f530-2868-11e9-9d21-0be348776e6c", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 48, + "x": 0, + "y": 15 + }, + "id": "4e7701d0-2869-11e9-9d21-0be348776e6c", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "7", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "391ef230-2868-11e9-9d21-0be348776e6c", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "8", + "w": 11, + "x": 37, + "y": 4 + }, + "id": "8dc55df0-2869-11e9-9d21-0be348776e6c", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Package Dashboard", + "version": 1 + }, + "id": "137c52f0-286a-11e9-9d21-0be348776e6c", + "type": "dashboard", + "updated_at": "2019-02-04T11:03:23.945Z", + "version": 2 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-process-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-process-dashboard.json new file mode 100644 index 000000000000..6ffee4042df1 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-process-dashboard.json @@ -0,0 +1,1036 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Processes", + "field": "process.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:24:39.030Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_started", + "type": "phrase" + }, + "type": "phrase", + "value": "process_started" + }, + "query": { + "match": { + "event.action": { + "query": "process_started", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Starts [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Started" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Starts [Auditbeat System]", + "type": "metric" + } + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:45:42.195Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_stopped", + "type": "phrase" + }, + "type": "phrase", + "value": "process_stopped" + }, + "query": { + "match": { + "event.action": { + "query": "process_stopped", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Stops [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Stopped" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Stops [Auditbeat System]", + "type": "metric" + } + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:50:28.750Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "user.name", + "event.action", + "process.pid", + "process.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Process Events [Auditbeat System]", + "version": 1 + }, + "id": "0f9611b0-2862-11e9-97cb-474beda9f119", + "type": "search", + "updated_at": "2019-02-04T09:48:44.490Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Process OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Process OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "91708fd0-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:52:22.349Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Process Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "b1e2af00-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:53:16.784Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Names [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Process", + "field": "process.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Process Names [Auditbeat System]", + "type": "table" + } + }, + "id": "f1d365a0-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:56:33.249Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Users [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Process", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Process Users [Auditbeat System]", + "type": "table" + } + }, + "id": "30936470-2863-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:56:49.335Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Processes", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 11, + "x": 0, + "y": 4 + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 11, + "x": 11, + "y": 4 + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "3", + "w": 11, + "x": 22, + "y": 4 + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "4", + "w": 48, + "x": 0, + "y": 38 + }, + "id": "0f9611b0-2862-11e9-97cb-474beda9f119", + "panelIndex": "4", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "5", + "w": 15, + "x": 33, + "y": 4 + }, + "id": "91708fd0-2862-11e9-97cb-474beda9f119", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "6", + "w": 48, + "x": 0, + "y": 29 + }, + "id": "b1e2af00-2862-11e9-97cb-474beda9f119", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "7", + "w": 24, + "x": 0, + "y": 14 + }, + "id": "f1d365a0-2862-11e9-97cb-474beda9f119", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "8", + "w": 24, + "x": 24, + "y": 14 + }, + "id": "30936470-2863-11e9-97cb-474beda9f119", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "9", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Process Dashboard", + "version": 1 + }, + "id": "4c68f110-2863-11e9-97cb-474beda9f119", + "type": "dashboard", + "updated_at": "2019-02-04T10:13:58.155Z", + "version": 2 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-socket-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-socket-dashboard.json new file mode 100644 index 000000000000..2ecb25fd7000 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-socket-dashboard.json @@ -0,0 +1,1238 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sockets", + "field": "socket.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Socket Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:29:47.881Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_opened", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_opened" + }, + "query": { + "match": { + "event.action": { + "query": "socket_opened", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Opened [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Opened" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Opened [Auditbeat System]", + "type": "metric" + } + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:47:58.605Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_closed", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_closed" + }, + "query": { + "match": { + "event.action": { + "query": "socket_closed", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Closed [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Closed" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Closed [Auditbeat System]", + "type": "metric" + } + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:48:58.668Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Types [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.direction", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Socket Types [Auditbeat System]", + "type": "pie" + } + }, + "id": "eb2dbfd0-2866-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:23:30.893Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "network.direction", + "process.name", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Documents [Auditbeat System]", + "version": 1 + }, + "id": "3bfed610-2867-11e9-9d21-0be348776e6c", + "type": "search", + "updated_at": "2019-02-04T10:25:46.481Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Document Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Socket Document Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "536fa900-2867-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:26:25.808Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Users [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Users [Auditbeat System]", + "type": "table" + } + }, + "id": "78391460-2867-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:27:27.526Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Destination Ports [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Destination Ports [Auditbeat System]", + "type": "table" + } + }, + "id": "1771daa0-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:56:23.379Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Source IPs [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Source IPs [Auditbeat System]", + "type": "table" + } + }, + "id": "b899a700-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:57:53.520Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Destination IPs [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Destination IPs [Auditbeat System]", + "type": "table" + } + }, + "id": "d32c0540-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:58:38.100Z", + "version": 1 + }, + { + "attributes": { + "description": "System Sockets", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "1", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "2", + "w": 5, + "x": 0, + "y": 4 + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "3", + "w": 5, + "x": 5, + "y": 4 + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "4", + "w": 5, + "x": 10, + "y": 4 + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "5", + "w": 9, + "x": 15, + "y": 4 + }, + "id": "eb2dbfd0-2866-11e9-9d21-0be348776e6c", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "6", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "3bfed610-2867-11e9-9d21-0be348776e6c", + "panelIndex": "6", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "7", + "w": 48, + "x": 0, + "y": 15 + }, + "id": "536fa900-2867-11e9-9d21-0be348776e6c", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "8", + "w": 6, + "x": 42, + "y": 4 + }, + "id": "78391460-2867-11e9-9d21-0be348776e6c", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "9", + "w": 6, + "x": 36, + "y": 4 + }, + "id": "1771daa0-286b-11e9-9d21-0be348776e6c", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "10", + "w": 6, + "x": 24, + "y": 4 + }, + "id": "b899a700-286b-11e9-9d21-0be348776e6c", + "panelIndex": "10", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "11", + "w": 6, + "x": 30, + "y": 4 + }, + "id": "d32c0540-286b-11e9-9d21-0be348776e6c", + "panelIndex": "11", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Socket Dashboard", + "version": 1 + }, + "id": "957a3ef0-2867-11e9-9d21-0be348776e6c", + "type": "dashboard", + "updated_at": "2019-02-04T11:01:23.746Z", + "version": 3 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-user-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-user-dashboard.json new file mode 100644 index 000000000000..47efcb20e9f3 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/7/dashboard/auditbeat-system-user-dashboard.json @@ -0,0 +1,913 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Users", + "field": "user.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:35:48.640Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "User Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:38:11.314Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Change Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "User Change Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "dc514de0-2863-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:01:37.470Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Password Types [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.audit.user.password.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Password Types [Auditbeat System]", + "type": "pie" + } + }, + "id": "0bf8b4c0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:02:57.420Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Documents Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "User Documents Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "30f4eff0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:03:59.471Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "system.audit.user.name", + "system.audit.user.password.type", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "User Documents [Auditbeat System]", + "version": 1 + }, + "id": "658a3db0-2864-11e9-97cb-474beda9f119", + "type": "search", + "updated_at": "2019-02-04T10:05:27.691Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "User OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "User OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "7f480de0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:06:10.878Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Users", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 8, + "x": 8, + "y": 4 + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "3", + "w": 11, + "x": 26, + "y": 4 + }, + "id": "dc514de0-2863-11e9-97cb-474beda9f119", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 11, + "x": 37, + "y": 4 + }, + "id": "0bf8b4c0-2864-11e9-97cb-474beda9f119", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "5", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "30f4eff0-2864-11e9-97cb-474beda9f119", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "6", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "658a3db0-2864-11e9-97cb-474beda9f119", + "panelIndex": "6", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "7", + "w": 10, + "x": 16, + "y": 4 + }, + "id": "7f480de0-2864-11e9-97cb-474beda9f119", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "8", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] User Dashboard", + "version": 1 + }, + "id": "ae96a660-2864-11e9-97cb-474beda9f119", + "type": "dashboard", + "updated_at": "2019-02-04T11:02:23.820Z", + "version": 3 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go index 4160bd5402e7..1274280fc61b 100644 --- a/x-pack/auditbeat/module/system/fields.go +++ b/x-pack/auditbeat/module/system/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSystem returns asset data. // This is the base64 encoded gzipped contents of module/system. func AssetSystem() string { - return "eJzEWV9v27YXffenuOhLE8BV8PthK4Y8DGhXYA3QrsHiAnuLafFa4kLxaiSVRP30AylKlizKjhMFExDAYsRzzv1HXlHv4A7rSzC1sVgsAKywEi/hzY0feLMA4GhSLUorSF3CrwsAgFWOBoFpBJsjbAVKbiBDhZpZ5LCp/XiDCQXxSmKyANAokRm8BHwsUYsClWVyAQHgcrEAeAeKFe6Je1TWc9m6xEvINFWlv28fdr/bp0mLTCg/1E64w/qBNA9jERvc9c3PA9p6vZ4zgVUuDKRMwQaBwVZIhJLZHM4wyRJYX9wzfSEpc3/J/9bnyw6NtIdxklrI4IKUipIUKgs2ZxZMVZZSIPePcGZZi63QSqHu1udJ3xeVQf1kV6Cywta3gp/ujatPUCnxT4WyBsEd0LYWKvMqnQYgBQxyMjaBKwvOS1SUlYs4M8Dg5vOHd///+T3kzOQ7pzSOcLPg6tOyAXI/mOLNjdOdDGywqAuhfGqcaMIqzGxpHcHAl6WmFI35r90ZZBz3YzCkA+38eN36MECBsUxbsMI5s2ewofQOn15Jr2Rvo+IF5jYAIBRxXIKklEm4um5/laTtEjQWZNEPO8eEW/e/oUd8TSas4iLul4h9fVf13eX0dYNjpIP+ctfaAawhJWWZUO0aKhu7hdqSLpibl/RmTa2i7bWvtbeQlC49BgIaxZJUNhg+INld3z0QCAWKKTKYkuImiTBuiOwEJ2cWT+H8SNSm95gnOBC1+IE8QrYhksjUKXw3Lt22IRIuTzuOmAAn7AcpTNxtRMCwgp4k4I/ePtLC95fTJfhN4+PN6qAg2m4N2sRgOkPgVzsdDtVlwIHoO5Xz+eNzQIsxiVjQn8kBV59iFEynubCY2krPaNAANrQBj7+8v33/03lMRMFiUXwG99cPvwHjXKMxGI2dKCNEe4NHOK6uD1OQiVDsL55HWNZkestnb8UEtqHK+mKh0vWlbisKS/8AY7xc9roFyaxD3COd9vpRn3y76UBDtFNUlswSqk2lbLWEB6E4PZjzJKpoVE4vVeO71UbJV5a6kb8mqLesELKelbyBDPQaec7sEjhuBFNL2GrEjeHHPHKP2ghSs+oKmHHCO9QK5Xx8q0iKvjWBZiyly02W3rEMX9R9BIyDFcQUCGUskxK5e8VxbdU98pZ/ns5kv+085tSDLj3YeAfVJ3ei7dV1pAHJGxA68TASyZ7J8n2midc98hhPrCheSHXAqhD3OdkC5NRGPCdVfweO8UmRoprXugAZ3XebWpulaW7pAuZk92zEj5e/FbRkDixKUhUF0/UzAJuJMcxKyznD8v3PL+N1tjt96VOcssg6gKM9invINAcs4ybl9HX1tRoGgO/DI5uRt8Q+4svZhv34jiubl+t3F9NJMi703Ia9NZBTgQ4aU0vDFO8VTo5yxnYD4FpTplkBlkBXCpgFSZmY6HZcYt72cjYqxOKjPdnd4ajDnwH2jzrgm4IvQlWPS7C5MG6bdhWSYUqmSfWJdBi9ObTyaPM3picKXHu4I51R3ZCa3RGpMFAybV33cLbBmhTv/vfWQKmFW8qaWXv9bLyM4XApw5FceFIkoEv+cV3DwXrb0QtlMcP9EjmRfqr2SmZMxLipF8bjsW0BD4e3i1p4Gs4U2dBFhhFhDcrtyZF0yl8rkh9Gsh1sAtdkjNhIhHsmKzT+683a5IzTw23njwnMs4HRvj12hamas12P4T+UnC93vr3lwrCNRL5eTqCuFe2YHUdT7JypDDVVxjflqiaF/nOMpAyEOve99hRiquvS9kEfclTDkPnYOO0XaNMLP8zBIBZmAtRSmyXuXQiV5/AvQA3iKPq91pEZe5vmzqDp0hn1dM31pGCv/AekerDGtIY+MOMFQBCQLP4NAAD//4zWcgM=" + return "eJzEWV1v2zYUffevuOhLE8BV0GErBj8MaBdgDdCuweICe7Np8VriQvFqJJVE/fUDKcqWbMofiYIJCBDT5DnnfpFX9Du4x3oGpjYWiwmAFVbiDN7c+YE3EwCOJtWitILUDH6bAADMczQITCPYHGEtUHIDGSrUzCKHVe3HG0woiFcSkwmARonM4AzwqUQtClSWyQkEgNlkAvAOFCvcjAdU1nPZusQZZJqq0n9uJ7v/29mkRSaUH2oX3GP9SJqHsYgN7vnm1wGtvV7PmcA8FwZSpmCFwGAtJELJbA4XmGQJLK8emL6SlLm/5P3ycrpBI+1hnKQWMrggpaIkhcqCzZkFU5WlFMj9FM4sa7EVWinU/fIy6fqiMqhPdgUqK2y9EPx8b9xcQ6XEvxXKGgR3QOtaqMyrdBqAFDDIydgEbiw4L1FRVi7izACDu88f3/30ywfImcm3Tmkc4VbBzfW0AXL/MMWbD0530rPBoi6E8qlxpgnzsLKldQQ9X5aaUjTm/3ZnkHHcj8GQDejGj7etDwMUGMu0BSucMzsGG0rv8fRKeiV7GxUvMLcBAKGI4xQkpUzCzW37X0naTkFjQRb9sHNM+Oi+63vE12TCKi7ifonY13VV111O32ZwH+mgv9yzdABLSElZJlS7h8rGbqHWpAvm1iWdVUO7aPvsau1sJKVLj56ARrEklfWGG+IZ8Ep7/t6XQpWVXbRTFFNkMCXFTW8WVbY7jZlrVkdnlBpTYbxz3ve+P+A393z31oBQXQlJxOwVkR0wnDOL53B+ImprbJ8nRBG1+IE8QrYiksjUOXx3LufXIR1csWw4YgKcsB+kMHEfIwL6ZXySgD87h1kL393Tp+BPrk9384OCaL02aBOD6SnZd0TTfKvDoboMOBB9p3I8f3wOaDEmEQv6Mzng5jpGwXSaC4uprfSIBvVgQy/y9OuHxYefL2MiChaL4jO4v378HRjnGo3BaOxEGSHaGTzCcXN7mIJMhGJ3Bz/CsiTT2cM72zawFVXWFwuVrjl252E4f/r77d6e3WlZJLMOcYd02OtHffLtbgMaop2ismSmUK0qZaspPArF6dFcJlFFe+X0UjW+ZW6UfGWpG/l7gHrNCiHrUckbyECvkefMToHjSjA1hbVGXBl+zCMPqM3uMflSXQEzTniPWqEcj28eSdG3JtDsS9nkJkvvWYYvaoECxsEKYgqEMpZJidy9Z7ne7gF5yz9Oe7Tb+x5z6kGXHuz+g+qz2+H22bTFAckbEF4HwkgkewbL95km3nbIYzyxongh1QGrQtzHZAuQQwfxmFTdEzjGJ0WKalzrAmT03G1qbZSmuaULmIPdsxE/Tno1OYnMgUVJqqJgun4GYLMwhllpOWZYvv/1ZX+f3VwBdSnO2WQdwNEexU0yzS3PfpNy/r76Wg0DwPf+vdGet8Qu4svZ+v34lisbl+sPF9NBMi702Ia9NZBTgQ4aU0v9FO8UTo5yxHYD4FZTplkBlkBXCpgFSZkY6HZcYi46ORsVYvHJnu3ucN/iLyK79y3wTcEXoaqnKdhcGHdMuwrJMCXTpPpAOuy9ObTyaPUPpmcKXHq4I51R3ZCa7T2tMFAybV33cLHCmhTffPfWQKmF28qaVTv9bLyM4XApw5FcOCkSsEn+/bqGg/W2pRfKYoa7JXIm/VDtlcyYiHFDL4zHY9sCHg7vJmphNlwosqGLDCPCGpTrsyPplL9WJD/uyXawCdySMWIlER6YrND4n5CWJmecHhcbfwxgXvSM9u2xK0zVXDB7DP9rzeV069sFF4atJPLldAB1qWjL7DiaYudMZaipMr4pVzUp9L8JScpAqEvfaw8hproubRf0MUfVD5mPjdN+hTa98sMcDGJhBkAttVni3oVQeQ7/AtQg7kW/0zoyYxdp7gwaLp29nq55Tgr23P+KVff2mNbQR2a8AAgCksl/AQAA///qe5hA" } diff --git a/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc index a0baab22b267..006defed451d 100644 --- a/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `host` dataset of the system module. It is implemented for Linux, macOS (Darwin), and Windows. + +[float] +==== Example dashboard + +This dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-host-dashboard.png[Auditbeat System Host Dashboard] diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml index f6955dc50adf..c2a8d43475c6 100644 --- a/x-pack/auditbeat/module/system/host/_meta/fields.yml +++ b/x-pack/auditbeat/module/system/host/_meta/fields.yml @@ -6,6 +6,10 @@ fields: - name: uptime type: long + format: duration + input_format: nanoseconds + output_format: asDays + output_precision: 1 description: > Uptime in nanoseconds. - name: boottime diff --git a/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc index ea1eff217637..e57c8bbb5b3b 100644 --- a/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `login` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-login-dashboard.png[Auditbeat System Login Dashboard] diff --git a/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc index b1504e3aeb39..590c0587eb5f 100644 --- a/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc @@ -6,3 +6,11 @@ This is the `package` dataset of the system module. It is implemented for Linux distributions using dpkg or rpm as their package manager, and for Homebrew on macOS (Darwin). + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-package-dashboard.png[Auditbeat System Package Dashboard] diff --git a/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc index 2ae6d7943db6..0550fc3c5648 100644 --- a/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `process` dataset of the system module. It is implemented for Linux, macOS (Darwin), and Windows. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-process-dashboard.png[Auditbeat System Process Dashboard] diff --git a/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc index 4a81754e1e85..33319a2404b9 100644 --- a/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `socket` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-socket-dashboard.png[Auditbeat System Socket Dashboard] diff --git a/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc index 6f777bba92c9..32551b7b7356 100644 --- a/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `user` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-user-dashboard.png[Auditbeat System User Dashboard]