Create redistributable boards for Elastic

[gdiazlo]

We want to implement new boards and panels based on our documentation, which will cover the following:

• Security analysis
• Intrusion detection
• Log data analysis
• File integrity monitoring
• Vulnerability detection
• Configuration assessment
• Incident response
• Regulatory compliance
• Cloud security
• Containers security

We want to use our sample data as the base for its creation.

• Create an Elastic environment using the latest version (8.6.0)
• Upload our sample data collection
• Using the dashboard plugin from the Elastic stack, create each query and panel to compose each one of the dashboards

[chantal-kelm]

I have generated a script to which I put alerts and it creates a csv file.

When I upload this file to elastic I get an error, I have tried with other formats and I also get the same error.

I have been investigating and I am trying to solve the error.

[chantal-kelm]

Today's breakthrough: the first dashboard has been built:

Security Events:

Vulnerabilities:

Malware detection:

Docker Listener

Incident Response

Amazon AWS

PCI DSS

[Tostti]

Today I adapted all the dashboards to be compatible with the integration guide.
I also created three more files:

Integrity monitoring

Log data analysis

And also a file called all-dashboards.ndjson that contains all the dashboards to the moment, to be able to import them in one step.

[Tostti]

Today I updated the incident-response dashboard

[chantal-kelm]

Due to some modifications that were made to the dashboards in terms of design and as we saw with my partner @Desvelao that they have been built with the visualize plugin, which is an older plugin, it was decided with @gdiazlo to use the dashboards that we had done days ago for kibana, which are made with the newer plugin called lens, and it was also decided to make dashboards with the plugin offered by Opensearch.

[chantal-kelm]

The integration environment has no mapping added and the charts were generated without mapping so they are using the fields with the "keyword" (e.g. agent.name.keyword).

[chantal-kelm]

Elastic 8.6.2 dashboards are compatible, work fine with elastic 8.7.0 version

[chantal-kelm]

We were with my colleague @Desvelao reviewing the pipeline transformations in Filebeat, to see if it was necessary to do them in Logstash, but in this case it is not necessary because those fields are not used in any of the dashboards.

Also, my colleague @Desvelao suggested to add a versioning for the dahboards, that we decided with @gdiazlo to add in the name of each dashboard, this way we have them identified and if later we are making updates or releasing more dashboards and some user is asking us some query, we can know which version he has. Also by @Desvelao suggestion we add the word Wazuh to the name of each dashboard, this way the user can identify them better.

Elastic