diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1559c57236e..dc2add58ef2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -153,6 +153,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff] - Add system `package` dataset. {pull}10225[10225] - Add system module `login` dataset. {pull}9327[9327] - Add `entity_id` fields. {pull}10500[10500] +- Add seven dashboards for the system module. {pull}10511[10511] *Filebeat* diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 93a16db253d..90a8dde5895 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -3809,6 +3809,8 @@ ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host -- type: long +format: duration + Uptime in nanoseconds. diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 3fc328f0778..ae2320e9a21 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -83,6 +83,7 @@ INTEGRATION_TESTS?= FIND?=. ${PYTHON_ENV}/bin/activate; find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*" PERM_EXEC?=$(shell [ `uname -s` = "Darwin" ] && echo "+111" || echo "/a+x") XPACK_ONLY?=false +XPACK_DIR=${ES_BEATS}/x-pack/${BEAT_NAME} ifeq ($(DOCKER_CACHE),0) DOCKER_NOCACHE=--no-cache @@ -362,7 +363,11 @@ endif .PHONY: docs docs: ## @build Builds the documents for the beat - sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR} + @if [ -d $(XPACK_DIR) ]; then \ + sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR} ${XPACK_DIR}; \ + else \ + sh ${ES_BEATS}/script/build_docs.sh ${BEAT_NAME} ${BEAT_PATH}/docs ${BUILD_DIR}; \ + fi .PHONY: docs-preview docs-preview: ## @build Preview the documents for the beat in the browser diff --git a/script/build_docs.sh b/script/build_docs.sh index d53f570d939..a9fd012d30c 100755 --- a/script/build_docs.sh +++ b/script/build_docs.sh @@ -5,6 +5,7 @@ set -e name=$1 path=$2 build_dir=$3 +resource_dir=$4 docs_dir=$build_dir/docs html_dir=$build_dir/html_docs @@ -29,7 +30,12 @@ do mkdir -p "$dest_dir" params="--chunk=1" if [ "$PREVIEW" = "1" ]; then - params="--chunk=1 -open chunk=1 -open" + params="$params -open" fi + + if [ -d "$resource_dir" ]; then + params="$params -resource=${resource_dir}" + fi + $docs_dir/build_docs.pl $params --doc "$index" -out "$dest_dir" done diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png new file mode 100644 index 00000000000..6e4398c735e Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-host-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png new file mode 100644 index 00000000000..f090b6bcb3c Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-login-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png new file mode 100644 index 00000000000..d298e903cc0 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-overview-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png new file mode 100644 index 00000000000..3aefadc476a Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-package-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png new file mode 100644 index 00000000000..bb1d6a547e8 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-process-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png new file mode 100644 index 00000000000..823a327b117 Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-socket-dashboard.png differ diff --git a/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png b/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png new file mode 100644 index 00000000000..d502c5fb4cf Binary files /dev/null and b/x-pack/auditbeat/docs/images/auditbeat-system-user-dashboard.png differ diff --git a/x-pack/auditbeat/docs/modules/system.asciidoc b/x-pack/auditbeat/docs/modules/system.asciidoc index d6f902d07df..0780f361463 100644 --- a/x-pack/auditbeat/docs/modules/system.asciidoc +++ b/x-pack/auditbeat/docs/modules/system.asciidoc @@ -36,6 +36,14 @@ All datasets are currently using a poll model to retrieve their data. The frequency of these polls is controlled by the `period` configuration parameter. +[float] +==== Example dashboard + +The module comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-overview-dashboard.png[Auditbeat System Overview Dashboard] + [float] === Configuration options diff --git a/x-pack/auditbeat/module/system/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/_meta/docs.asciidoc index 55614c4d69f..cafbf5d4e8d 100644 --- a/x-pack/auditbeat/module/system/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/_meta/docs.asciidoc @@ -31,6 +31,14 @@ All datasets are currently using a poll model to retrieve their data. The frequency of these polls is controlled by the `period` configuration parameter. +[float] +==== Example dashboard + +The module comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-overview-dashboard.png[Auditbeat System Overview Dashboard] + [float] === Configuration options diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-host-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-host-dashboard.json new file mode 100644 index 00000000000..edd1f575b1f --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-host-dashboard.json @@ -0,0 +1,829 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Hosts", + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Host Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-03T20:37:18.796Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "system.audit.host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "system.audit.host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.audit.host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:37:35.796Z", + "version": 24 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Average Uptime [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Average Uptime in days", + "field": "system.audit.host.uptime" + }, + "schema": "metric", + "type": "avg" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Average Uptime [Auditbeat System]", + "type": "metric" + } + }, + "id": "4d0485f0-18da-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:57:55.023Z", + "version": 23 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Documents [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Host States" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Host States" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Host States" + }, + "type": "value" + } + ] + }, + "title": "Host Documents [Auditbeat System]", + "type": "histogram" + } + }, + "id": "eea92ad0-18d7-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-04T09:26:47.877Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host List [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 1, + "direction": "asc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hostname", + "field": "system.audit.host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "aggregate": "max", + "customLabel": "Uptime (days)", + "field": "system.audit.host.uptime", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "3", + "params": { + "aggregate": "concat", + "customLabel": "OS", + "field": "system.audit.host.os.name", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "4", + "params": { + "aggregate": "concat", + "customLabel": "Version", + "field": "system.audit.host.os.version", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "1", + "params": { + "aggregate": "concat", + "customLabel": "Host ID", + "field": "system.audit.host.id", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "6", + "params": { + "aggregate": "concat", + "customLabel": "Status", + "field": "message", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Host List [Auditbeat System]", + "type": "table" + } + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:58:22.519Z", + "version": 25 + }, + { + "attributes": { + "columns": [ + "system.audit.host.hostname", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "dfce2b60-18c7-11e9-9094-c50574723088", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Host Events [Auditbeat System]", + "version": 1 + }, + "id": "abe78cd0-18ca-11e9-9094-c50574723088", + "type": "search", + "updated_at": "2019-02-04T09:31:20.533Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Hosts", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 15, + "x": 0, + "y": 4 + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 17, + "x": 31, + "y": 4 + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 16, + "x": 15, + "y": 4 + }, + "id": "4d0485f0-18da-11e9-9094-c50574723088", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "5", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "eea92ad0-18d7-11e9-9094-c50574723088", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "6", + "w": 48, + "x": 0, + "y": 21 + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "7", + "w": 48, + "x": 0, + "y": 33 + }, + "id": "abe78cd0-18ca-11e9-9094-c50574723088", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "8", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Host Dashboard", + "version": 1 + }, + "id": "dfe62590-18da-11e9-9094-c50574723088", + "type": "dashboard", + "updated_at": "2019-02-04T11:25:58.146Z", + "version": 28 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-login-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-login-dashboard.json new file mode 100644 index 00000000000..4125daa9159 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-login-dashboard.json @@ -0,0 +1,931 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Login Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Login Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:44:50.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:04:51.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success", + "type": "phrase" + }, + "type": "phrase", + "value": "success" + }, + "query": { + "match": { + "event.outcome": { + "query": "success", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Success Table [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Successful Logins" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Login Success Table [Auditbeat System]", + "type": "table" + } + }, + "id": "5eb5f250-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:22:44.444Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure", + "type": "phrase" + }, + "type": "phrase", + "value": "failure" + }, + "query": { + "match": { + "event.outcome": { + "query": "failure", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Failures Table [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Failed Logins" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "User", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Login Failures Table [Auditbeat System]", + "type": "table" + } + }, + "id": "a1951650-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:24:11.445Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Login Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "e4d25fe0-285e-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:26:04.254Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "user.name", + "event.outcome", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Login Events [Auditbeat System]", + "version": 1 + }, + "id": "2e04c720-285f-11e9-805f-43bf57dfa519", + "type": "search", + "updated_at": "2019-02-04T09:28:07.058Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Login OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "e8eb58a0-2860-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T09:40:30.122Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Logins", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 10, + "x": 8, + "y": 4 + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 10, + "x": 28, + "y": 4 + }, + "id": "5eb5f250-285e-11e9-805f-43bf57dfa519", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "5", + "w": 10, + "x": 38, + "y": 4 + }, + "id": "a1951650-285e-11e9-805f-43bf57dfa519", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "6", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "e4d25fe0-285e-11e9-805f-43bf57dfa519", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "7", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "2e04c720-285f-11e9-805f-43bf57dfa519", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "8", + "w": 10, + "x": 18, + "y": 4 + }, + "id": "e8eb58a0-2860-11e9-805f-43bf57dfa519", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "9", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Login Dashboard", + "version": 1 + }, + "id": "2a17f200-285e-11e9-805f-43bf57dfa519", + "type": "dashboard", + "updated_at": "2019-02-04T11:38:50.007Z", + "version": 6 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-overview-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-overview-dashboard.json new file mode 100644 index 00000000000..3d43f14b2bd --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-overview-dashboard.json @@ -0,0 +1,2361 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Hosts", + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Host Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-02-03T20:37:18.796Z", + "version": 22 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Processes", + "field": "process.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:24:39.030Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sockets", + "field": "socket.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Socket Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:29:47.881Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Users", + "field": "user.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:35:48.640Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Packages", + "field": "system.audit.package.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:40:37.585Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Login Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Login Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:44:50.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "system.audit.host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "system.audit.host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "system.audit.host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:37:35.796Z", + "version": 24 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Login Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Login Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:04:51.914Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "User Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:38:11.314Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_started", + "type": "phrase" + }, + "type": "phrase", + "value": "process_started" + }, + "query": { + "match": { + "event.action": { + "query": "process_started", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Starts [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Started" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Starts [Auditbeat System]", + "type": "metric" + } + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:45:42.195Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_stopped", + "type": "phrase" + }, + "type": "phrase", + "value": "process_stopped" + }, + "query": { + "match": { + "event.action": { + "query": "process_stopped", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Stops [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Stopped" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Stops [Auditbeat System]", + "type": "metric" + } + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:50:28.750Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_opened", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_opened" + }, + "query": { + "match": { + "event.action": { + "query": "socket_opened", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Opened [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Opened" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Opened [Auditbeat System]", + "type": "metric" + } + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:47:58.605Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_closed", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_closed" + }, + "query": { + "match": { + "event.action": { + "query": "socket_closed", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Closed [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Closed" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Closed [Auditbeat System]", + "type": "metric" + } + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:48:58.668Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_package", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_package" + }, + "query": { + "match": { + "event.action": { + "query": "existing_package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T10:44:06.826Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "System Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "System Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "54135e50-27ff-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-03T22:01:59.221Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Host List [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": 1, + "direction": "asc" + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hostname", + "field": "system.audit.host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "aggregate": "max", + "customLabel": "Uptime (days)", + "field": "system.audit.host.uptime", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "3", + "params": { + "aggregate": "concat", + "customLabel": "OS", + "field": "system.audit.host.os.name", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "4", + "params": { + "aggregate": "concat", + "customLabel": "Version", + "field": "system.audit.host.os.version", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "1", + "params": { + "aggregate": "concat", + "customLabel": "Host ID", + "field": "system.audit.host.id", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "6", + "params": { + "aggregate": "concat", + "customLabel": "Status", + "field": "message", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Host List [Auditbeat System]", + "type": "table" + } + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "type": "visualization", + "updated_at": "2019-01-21T11:58:22.519Z", + "version": 25 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "event.dataset", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "system", + "type": "phrase" + }, + "type": "phrase", + "value": "system" + }, + "query": { + "match": { + "event.module": { + "query": "system", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "System Events [Auditbeat System]", + "version": 1 + }, + "id": "d08ebd30-27ff-11e9-805f-43bf57dfa519", + "type": "search", + "updated_at": "2019-02-03T22:17:10.090Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "Overview of System Information.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Host", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "host", + "type": "phrase" + }, + "type": "phrase", + "value": "host" + }, + "query": { + "match": { + "event.dataset": { + "query": "host", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Login", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "login", + "type": "phrase" + }, + "type": "phrase", + "value": "login" + }, + "query": { + "match": { + "event.dataset": { + "query": "login", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "User", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Process", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Socket", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Package", + "disabled": true, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "cf8aa0a0-18ca-11e9-9094-c50574723088", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "2", + "w": 8, + "x": 24, + "y": 4 + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "3", + "w": 8, + "x": 32, + "y": 4 + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "4", + "w": 8, + "x": 16, + "y": 4 + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5", + "w": 8, + "x": 40, + "y": 4 + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 8, + "x": 8, + "y": 4 + }, + "id": "8d63c420-27f4-11e9-89af-fd12d59dac90", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "8", + "w": 8, + "x": 0, + "y": 12 + }, + "id": "9dd991a0-18cb-11e9-9094-c50574723088", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "9", + "w": 8, + "x": 8, + "y": 12 + }, + "id": "593df9b0-27f7-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "10", + "w": 8, + "x": 16, + "y": 12 + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "panelIndex": "10", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "11", + "w": 8, + "x": 24, + "y": 12 + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "11", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "12", + "w": 8, + "x": 24, + "y": 19 + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "12", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "13", + "w": 8, + "x": 32, + "y": 12 + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "13", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 7, + "i": "14", + "w": 8, + "x": 32, + "y": 19 + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "14", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "15", + "w": 8, + "x": 40, + "y": 12 + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "panelIndex": "15", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "16", + "w": 48, + "x": 0, + "y": 26 + }, + "id": "54135e50-27ff-11e9-805f-43bf57dfa519", + "panelIndex": "16", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "17", + "w": 24, + "x": 0, + "y": 34 + }, + "id": "91962a30-1901-11e9-9094-c50574723088", + "panelIndex": "17", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "18", + "w": 24, + "x": 24, + "y": 34 + }, + "id": "d08ebd30-27ff-11e9-805f-43bf57dfa519", + "panelIndex": "18", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "19", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "19", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] System Overview", + "version": 1 + }, + "id": "2be46cb0-27f2-11e9-89af-fd12d59dac90", + "type": "dashboard", + "updated_at": "2019-02-04T09:32:32.325Z", + "version": 9 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-package-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-package-dashboard.json new file mode 100644 index 00000000000..46dcaf1f714 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-package-dashboard.json @@ -0,0 +1,919 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Packages", + "field": "system.audit.package.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:40:37.585Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_package", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_package" + }, + "query": { + "match": { + "event.action": { + "query": "existing_package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Package Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "type": "visualization", + "updated_at": "2019-02-04T10:44:06.826Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Package OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Package OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "6ed51940-2868-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:34:21.268Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "event", + "type": "phrase" + }, + "type": "phrase", + "value": "event" + }, + "query": { + "match": { + "event.kind": { + "query": "event", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Change Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Package Change Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "fe23f530-2868-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:38:21.699Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Document Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Package Document Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "4e7701d0-2869-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:40:36.461Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "event.action", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Package Documents [Auditbeat System]", + "version": 1 + }, + "id": "391ef230-2868-11e9-9d21-0be348776e6c", + "type": "search", + "updated_at": "2019-02-04T10:32:51.155Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "package", + "type": "phrase" + }, + "type": "phrase", + "value": "package" + }, + "query": { + "match": { + "event.dataset": { + "query": "package", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Package Names [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.audit.package.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 25 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 5, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Package Names [Auditbeat System]", + "type": "table" + } + }, + "id": "8dc55df0-2869-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:45:22.440Z", + "version": 2 + }, + { + "attributes": { + "description": "System Packages", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "1", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "2", + "w": 6, + "x": 0, + "y": 4 + }, + "id": "f664fb20-27f3-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "3", + "w": 5, + "x": 6, + "y": 4 + }, + "id": "bdf9c530-27fe-11e9-805f-43bf57dfa519", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "4", + "w": 13, + "x": 24, + "y": 4 + }, + "id": "6ed51940-2868-11e9-9d21-0be348776e6c", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "5", + "w": 13, + "x": 11, + "y": 4 + }, + "id": "fe23f530-2868-11e9-9d21-0be348776e6c", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 48, + "x": 0, + "y": 15 + }, + "id": "4e7701d0-2869-11e9-9d21-0be348776e6c", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "7", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "391ef230-2868-11e9-9d21-0be348776e6c", + "panelIndex": "7", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "8", + "w": 11, + "x": 37, + "y": 4 + }, + "id": "8dc55df0-2869-11e9-9d21-0be348776e6c", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Package Dashboard", + "version": 1 + }, + "id": "137c52f0-286a-11e9-9d21-0be348776e6c", + "type": "dashboard", + "updated_at": "2019-02-04T11:03:23.945Z", + "version": 2 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-process-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-process-dashboard.json new file mode 100644 index 00000000000..6ffee4042df --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-process-dashboard.json @@ -0,0 +1,1036 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Processes", + "field": "process.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:24:39.030Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_started", + "type": "phrase" + }, + "type": "phrase", + "value": "process_started" + }, + "query": { + "match": { + "event.action": { + "query": "process_started", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Starts [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Started" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Starts [Auditbeat System]", + "type": "metric" + } + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:45:42.195Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "process_stopped", + "type": "phrase" + }, + "type": "phrase", + "value": "process_stopped" + }, + "query": { + "match": { + "event.action": { + "query": "process_stopped", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Stops [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Stopped" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Process Stops [Auditbeat System]", + "type": "metric" + } + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:50:28.750Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "user.name", + "event.action", + "process.pid", + "process.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Process Events [Auditbeat System]", + "version": 1 + }, + "id": "0f9611b0-2862-11e9-97cb-474beda9f119", + "type": "search", + "updated_at": "2019-02-04T09:48:44.490Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Process OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Process OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "91708fd0-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:52:22.349Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Event Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Process Event Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "b1e2af00-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:53:16.784Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Names [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Process", + "field": "process.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Process Names [Auditbeat System]", + "type": "table" + } + }, + "id": "f1d365a0-2862-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:56:33.249Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "process", + "type": "phrase" + }, + "type": "phrase", + "value": "process" + }, + "query": { + "match": { + "event.dataset": { + "query": "process", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Process Users [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Process", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Process Users [Auditbeat System]", + "type": "table" + } + }, + "id": "30936470-2863-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T09:56:49.335Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Processes", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 11, + "x": 0, + "y": 4 + }, + "id": "bb0d1870-27f1-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 11, + "x": 11, + "y": 4 + }, + "id": "0db90830-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "3", + "w": 11, + "x": 22, + "y": 4 + }, + "id": "b885dae0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "4", + "w": 48, + "x": 0, + "y": 38 + }, + "id": "0f9611b0-2862-11e9-97cb-474beda9f119", + "panelIndex": "4", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "5", + "w": 15, + "x": 33, + "y": 4 + }, + "id": "91708fd0-2862-11e9-97cb-474beda9f119", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "6", + "w": 48, + "x": 0, + "y": 29 + }, + "id": "b1e2af00-2862-11e9-97cb-474beda9f119", + "panelIndex": "6", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "7", + "w": 24, + "x": 0, + "y": 14 + }, + "id": "f1d365a0-2862-11e9-97cb-474beda9f119", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 15, + "i": "8", + "w": 24, + "x": 24, + "y": 14 + }, + "id": "30936470-2863-11e9-97cb-474beda9f119", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "9", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Process Dashboard", + "version": 1 + }, + "id": "4c68f110-2863-11e9-97cb-474beda9f119", + "type": "dashboard", + "updated_at": "2019-02-04T10:13:58.155Z", + "version": 2 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-socket-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-socket-dashboard.json new file mode 100644 index 00000000000..2ecb25fd700 --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-socket-dashboard.json @@ -0,0 +1,1238 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Sockets", + "field": "socket.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Socket Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:29:47.881Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_opened", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_opened" + }, + "query": { + "match": { + "event.action": { + "query": "socket_opened", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Opened [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Opened" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Opened [Auditbeat System]", + "type": "metric" + } + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:47:58.605Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "socket_closed", + "type": "phrase" + }, + "type": "phrase", + "value": "socket_closed" + }, + "query": { + "match": { + "event.action": { + "query": "socket_closed", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Sockets Closed [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Closed" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Sockets Closed [Auditbeat System]", + "type": "metric" + } + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:48:58.668Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Types [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.direction", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Socket Types [Auditbeat System]", + "type": "pie" + } + }, + "id": "eb2dbfd0-2866-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:23:30.893Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "network.direction", + "process.name", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Documents [Auditbeat System]", + "version": 1 + }, + "id": "3bfed610-2867-11e9-9d21-0be348776e6c", + "type": "search", + "updated_at": "2019-02-04T10:25:46.481Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Document Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Socket Document Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "536fa900-2867-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:26:25.808Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Users [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 8 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 8, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Users [Auditbeat System]", + "type": "table" + } + }, + "id": "78391460-2867-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:27:27.526Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Destination Ports [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Destination Ports [Auditbeat System]", + "type": "table" + } + }, + "id": "1771daa0-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:56:23.379Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Source IPs [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Source IPs [Auditbeat System]", + "type": "table" + } + }, + "id": "b899a700-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:57:53.520Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "event.dataset": { + "query": "socket", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Destination IPs [Auditbeat System]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Socket Destination IPs [Auditbeat System]", + "type": "table" + } + }, + "id": "d32c0540-286b-11e9-9d21-0be348776e6c", + "type": "visualization", + "updated_at": "2019-02-04T10:58:38.100Z", + "version": 1 + }, + { + "attributes": { + "description": "System Sockets", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "1", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "2", + "w": 5, + "x": 0, + "y": 4 + }, + "id": "7323dd90-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "3", + "w": 5, + "x": 5, + "y": 4 + }, + "id": "295905e0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "4", + "w": 5, + "x": 10, + "y": 4 + }, + "id": "82d46ec0-27fd-11e9-89af-fd12d59dac90", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "5", + "w": 9, + "x": 15, + "y": 4 + }, + "id": "eb2dbfd0-2866-11e9-9d21-0be348776e6c", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "6", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "3bfed610-2867-11e9-9d21-0be348776e6c", + "panelIndex": "6", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "7", + "w": 48, + "x": 0, + "y": 15 + }, + "id": "536fa900-2867-11e9-9d21-0be348776e6c", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "8", + "w": 6, + "x": 42, + "y": 4 + }, + "id": "78391460-2867-11e9-9d21-0be348776e6c", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "9", + "w": 6, + "x": 36, + "y": 4 + }, + "id": "1771daa0-286b-11e9-9d21-0be348776e6c", + "panelIndex": "9", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "10", + "w": 6, + "x": 24, + "y": 4 + }, + "id": "b899a700-286b-11e9-9d21-0be348776e6c", + "panelIndex": "10", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "11", + "w": 6, + "x": 30, + "y": 4 + }, + "id": "d32c0540-286b-11e9-9d21-0be348776e6c", + "panelIndex": "11", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] Socket Dashboard", + "version": 1 + }, + "id": "957a3ef0-2867-11e9-9d21-0be348776e6c", + "type": "dashboard", + "updated_at": "2019-02-04T11:01:23.746Z", + "version": 3 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-user-dashboard.json b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-user-dashboard.json new file mode 100644 index 00000000000..47efcb20e9f --- /dev/null +++ b/x-pack/auditbeat/module/system/_meta/kibana/6/dashboard/auditbeat-system-user-dashboard.json @@ -0,0 +1,913 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Count [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Users", + "field": "user.entity_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Count [Auditbeat System]", + "type": "metric" + } + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T20:35:48.640Z", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Changes [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "User Changes" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "User Changes [Auditbeat System]", + "type": "metric" + } + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-03T21:38:11.314Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": true, + "params": { + "query": "existing_user", + "type": "phrase" + }, + "type": "phrase", + "value": "existing_user" + }, + "query": { + "match": { + "event.action": { + "query": "existing_user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Change Actions [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.action", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "User Change Actions [Auditbeat System]", + "type": "pie" + } + }, + "id": "dc514de0-2863-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:01:37.470Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Password Types [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "system.audit.user.password.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Password Types [Auditbeat System]", + "type": "pie" + } + }, + "id": "0bf8b4c0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:02:57.420Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "User Documents Histogram [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "time_zone": "Europe/London", + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "User Documents Histogram [Auditbeat System]", + "type": "histogram" + } + }, + "id": "30f4eff0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:03:59.471Z", + "version": 1 + }, + { + "attributes": { + "columns": [ + "host.hostname", + "system.audit.user.name", + "system.audit.user.password.type", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "User Documents [Auditbeat System]", + "version": 1 + }, + "id": "658a3db0-2864-11e9-97cb-474beda9f119", + "type": "search", + "updated_at": "2019-02-04T10:05:27.691Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "user", + "type": "phrase" + }, + "type": "phrase", + "value": "user" + }, + "query": { + "match": { + "event.dataset": { + "query": "user", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "User OS Distribution [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "field": "host.id" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS", + "field": "host.os.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.os.version", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "User OS Distribution [Auditbeat System]", + "type": "pie" + } + }, + "id": "7f480de0-2864-11e9-97cb-474beda9f119", + "type": "visualization", + "updated_at": "2019-02-04T10:06:10.878Z", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Dashboard Links [Auditbeat System]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards**: [System Overview](#/dashboard/2be46cb0-27f2-11e9-89af-fd12d59dac90) | [Hosts](#/dashboard/dfe62590-18da-11e9-9094-c50574723088) | [Logins](#/dashboard/2a17f200-285e-11e9-805f-43bf57dfa519) | [Users](#/dashboard/ae96a660-2864-11e9-97cb-474beda9f119) | [Processes](#/dashboard/4c68f110-2863-11e9-97cb-474beda9f119) | [Sockets](#/dashboard/957a3ef0-2867-11e9-9d21-0be348776e6c) | [Packages](#/dashboard/137c52f0-286a-11e9-9d21-0be348776e6c)", + "openLinksInNewTab": false + }, + "title": "Dashboard Links [Auditbeat System]", + "type": "markdown" + } + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "type": "visualization", + "updated_at": "2019-02-04T11:37:25.234Z", + "version": 3 + }, + { + "attributes": { + "description": "System Users", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 8, + "x": 0, + "y": 4 + }, + "id": "e9225120-27f2-11e9-89af-fd12d59dac90", + "panelIndex": "1", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "2", + "w": 8, + "x": 8, + "y": 4 + }, + "id": "00fa0d20-27fc-11e9-89af-fd12d59dac90", + "panelIndex": "2", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "3", + "w": 11, + "x": 26, + "y": 4 + }, + "id": "dc514de0-2863-11e9-97cb-474beda9f119", + "panelIndex": "3", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 11, + "x": 37, + "y": 4 + }, + "id": "0bf8b4c0-2864-11e9-97cb-474beda9f119", + "panelIndex": "4", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 9, + "i": "5", + "w": 48, + "x": 0, + "y": 14 + }, + "id": "30f4eff0-2864-11e9-97cb-474beda9f119", + "panelIndex": "5", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "6", + "w": 48, + "x": 0, + "y": 23 + }, + "id": "658a3db0-2864-11e9-97cb-474beda9f119", + "panelIndex": "6", + "type": "search", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "7", + "w": 10, + "x": 16, + "y": 4 + }, + "id": "7f480de0-2864-11e9-97cb-474beda9f119", + "panelIndex": "7", + "type": "visualization", + "version": "7.0.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "8", + "w": 48, + "x": 0, + "y": 0 + }, + "id": "4ccc5b50-27f6-11e9-89af-fd12d59dac90", + "panelIndex": "8", + "type": "visualization", + "version": "7.0.0" + } + ], + "timeRestore": false, + "title": "[Auditbeat System] User Dashboard", + "version": 1 + }, + "id": "ae96a660-2864-11e9-97cb-474beda9f119", + "type": "dashboard", + "updated_at": "2019-02-04T11:02:23.820Z", + "version": 3 + } + ], + "version": "7.0.0" +} \ No newline at end of file diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go index 2a063fea81e..c96b4437ac4 100644 --- a/x-pack/auditbeat/module/system/fields.go +++ b/x-pack/auditbeat/module/system/fields.go @@ -18,5 +18,5 @@ func init() { // Asset returns asset data func Asset() string { - return "eJzEWV1v2zgWffevuOhLE8BVsIvdYuGHBfqFqYF2GkxSzLzF1+K1xAnFqyGpOO6vH5CiZNmW7DhRMQICWAx5zrlf1BX1Bu5pMwO7sY6KCYCTTtEMXt2EgVcTAEE2NbJ0kvUM/j8BALjNyRKgIXA5wUqSEhYy0mTQkYDlJozXmFCwqBQlEwBDitDSDOixJCML0g7VBCLAbDIBeAMaCz/jgbQLXG5T0gwyw1UZ7pvJ/nczm43MpA5DzYJ72qzZiDjWY4O/voV1wKugN3AmcJtLCylqWBIgrKQiKNHlcEFJlsDi6gHNleLM/yX/WlxOWzQ2AcZLaiCjC1IuStakHbgcHdiqLJUkEaYIdNhga3JK6vvFZbJrXuVSLuh8+25zahbvGjlpp8w7wxFmSRZQA6YebgrO+yPGOGXtUGob1myRW7RgXr0wgU+PWJSKbDPRhoxZ2CpNydoFoBawWKFUlaFFAr+j0VJnM5jrFm9VucoQPJCxkrX1Rnz6cDOFNUGpUINjKA0/SOFDpaR1fgamKZUOl4rgAVVFdgsXQtSYM4Uy5CNUlmAtXQ4pVkF64x6qLZhB1NzN0MqSeXKCknbSbe6kOD+G849QaflXRWoDUnig1UbqLETAawDWgJCzdQnMHfjc5aKsfB2iBYSbz+/e/Pu/byFHm29TtY66XwXzj9MayP/wMQk3XvduFjoyhdShYM9Nw7iyofUESdeXpeHg3n/YnVHGaT9GQ1rQ1o/XjQ8jFFiHxoGT3pkdgy2n9/T0/e0n2VureIG5NQBIzYKmoDhFBfPr5lfJxk3BUMGOwrB3TLz1/9v1SNgpE6yE7PdLj31dV3Xd5fW1g4dIR/3lr4UHWGw3u/rJpmq7pV6xKbDeJ7Zrhp5t7dazp7WzkZQ+PXYE1IoV62xn+Ihkf30PQCA1aNRsKWUtbNLDuGR2A5wCHZ3D+Z65Se9DnuhAMvIHiR6yJbMi1Ofw3fh0W8VI+DxtOfoEeGE/WFPib3sE7FbQkwT82nm6N/Dd7XQK4VH+/ub2qCBerSy5xFI6QuBvtzo8qs+AI9H3Ksfzx+eI1sck+4L+TA6Yf+yjQJPm0lHq24QRybqwsTl7/N/bu7f/uewTUWBfFJ/B/fXdB0AhDFlLvbGTZQ/R3uAJjvn1cQq2PRT7m+cJlgXbzvbZ2TEBl1y5unss/duCfxTFrX8H43C77HQLCp1H3CMd9vpJn3y7aUFjtFPSju0UqmWlXTWFtdSC1/Yy6VV0UE4vVRPeIWolXzH1I38MUK+wkGozKnkNGekNiRzdFAQtJeoprAzR0opTHokd+6i6ImY/4T0ZTWo8vtueFH1tI82hlDY3Mb3HjF7UfUSMoxWEGqS2DpUi4V88fVv1QKLhH6cz2W87Tzn1qEuPNt5R9dmdaHO1HWlECgbETjyO9GTPYPk+08TrDnkfT19RvJDqiFUx7mOyRcihB/GYVN0ncB+fkinpca2LkL3P3brWRmmaG7qIOdg9W/nj5W8FDZkH6yWpigLN5hmA9cI+zMqoMcPy/bcvh/tse/rSpThnk/UAJ3sUP8nWByyHTcr5++rPahgAvu8e2Rx4S+4jvpxttx/fcmXjcv3iYzpIJqQZ27DXFnIuyENT6ng3xTuFk5Masd0AuDacGSzAMZhKAzpQnMmBbscn5l0nZ3uFOHp0Z7s7HnWEM8DuUQd80/BF6uoxHgjL+gw4o5TjcepAOhy8OTTyePknpWcKXAS4E53Rpia12yNSaaFEEw6HL5a0YS3a/722UBrpt7J61V4/21/GcLyU4UQuPCkS0Cb/YV3D0Xrb0kvtKKP9EjmTfqj2SrS2x7ihF8bTsW0Aj4e3jVqcDReaXewi44h0ltTq7Eh65T8rku8OZHvYBK7ZWrn9UhG/kOQoeH3X+mMA82LH6NAe+8LU9dluwAifry6nW9/eCWlxqUgspgOoC81bZs9RF7tAnZHhyoamXG9YU/hIpjgDqS9Drz2EmJpN6bqg65z0bshCbLz2K3LpVRgWYIkKOwDquMkS/y5EOnCEF6Aa8SD6ndYRrbtLc2/QcOkc9HT19aRg34bPepudPaYxdI02CIAoIJn8HQAA//9sRPQr" + return "eJzEWV1v27gSffevGPSlCeAq6MW9xYUfFmibYmug3QabFLtv8VgcS9xQpJak4qi/fkGKkiWb8kfiYg0EiGnynDNf1JB6Aw9Uz8DUxlIxAbDcCprBq1s/8GoCwMikmpeWKzmDXyYAAHc5GQLUBDYnWHESzEBGkjRaYrCs/XiDCYVilaBkAqBJEBqaAT2VpHlB0qKYQACYTSYAb0Bi4WY8krSey9YlzSDTqir993ay+7+drTTPuPRD7YIHqtdKszAWscF9vvl1oFZer+dM4C7nBlKUsCRAWHFBUKLN4YKSLIHF1SPqK6Ey95e8XVxOOzSlPYyT1EIGF6SqKJUkacHmaMFUZSk4MT+FocUWW5IVXD4sLpOheZVNVUGn23eXU7t4aOSkmzLvDQeYJRlACZg6uClY548Q41RJi1wav2aD3KF585qFCXx6wqIUZNqJxmfMwlRpSsYsACWDxQq5qDQtEvgDteQym8Fcdnirylaa4JG04UoaZ8Snj7dTWBOUAiVYBaVWj5y5UAlurJuBaUqlxaUgeERRkdnA+RC15kyh9PkIlSFYc5tDipWX3rqHGgtmEDT3M7QypI9OUJKW2/qes9NjOL+GSvK/KxI1cOaAVjWXmY+A0wBKAkKujE1gbsHlrirKytUhGkC4/fz+zX/+9w5yNPkmVZuou1Uwv542QO4fFxP/xekeZqElXXDpC/bUNAwrW1pHkPR9WWrl3fsvuzPIOOzHYEgH2vnxpvVhgAJjUVuw3DmzZ7BR6QMdv7/9JHsbFS8wtwEALhWjKQiVooD5TftfqbSdgqZCWfLDzjHhq/tt6BG/UyZYMR73S8S+vqv67nL6usFdpL3+cp+FA1hsNrvmySYau7lcKV1gs09s1ow927qtZ0trbyMpXXoMBDSKhZLZYLghngGrtOcf/MhlWdn7dopEqQylSjIzmKUq25+G5hrr6IxSU8qNd87bwe97/OY+3701wGVfQhIxe6mUHTGcoaVTOD8o1dbYLk+IImn+g1iEbKmUIJSn8N26nF+FdHDF0nHEBDhhP5SkxH2NCBiW8VECfuu1GC18f0+fgu8nPtze7RWkVitDNjGUHpN9BzTdbXQ4VJcBe6LvVJ7PH58DWoyJx4L+TA6YX8coUKc5t5S6XuWMZH3Y0CE+/f/d/bv/XsZEFBiL4jO4v77/CMiYJmMoGjteRoi2Bg9wzG/2UygTodjewQ+wLJTp7eG9bRtwqSrbtLClO7K452F4/gz32509u9eyCLQOcYt03OsHffLttgMN0U5JWmWmUC0raasprLlkam0uk6iinXJ6qRp/kGmUfMXUjfw5Qr3Cgov6rOQNZKDXxHK0U2C05CinsNJES8MOeSQcG86qK2DGCR9ISxLn47uLpOhrE2h2pXS5iekDZvSiFihg7K0glMClsSgEMXf6db3dI7GW/zzt0Xbve8ipe126t/sPqk9uh9tP1xYHJG9AOA6EkUj2jJbvM0286ZHHeGJF8UKqPVaFuJ+TLUCOPYjPSdV/Asf4BE9Jnte6ABl97ja1dpamuaULmKPds+E/jjqaHEXmwKIkVVGgrp8B2CyMYVZanDMs33//srvPdldAfYpTNlkHcLBHcZNMc8uz26Scvq/+rIYB4Pvw3mjHW3wb8eVsw358w5Wdl+tXF9NRMsb1uQ17bSBXBTloSq0apnivcHISZ2w3AG60yjQWYBXoSgJaECrjI92OS8z7Xs5GhVh6sie7O9y3+IvI/n0LfJPwhcvqKdxK8+YiOqNUhTvdkXTYOTm08tTyL0pPFLjwcAc6o7ohNZt7Wm6gRO1vqC+WVCvJut9eGyg1d1tZs2qrn42XMewvZTiQC0dFArrk361r2FtvG3ouLWW0XSIn0o/VXonGRIwbOzAejm0LuD+8XdTCbLiQyoYuMoxwa0isTo6kU/6zIvl+R7aDTeBGGcM3r0vCa5ocmVrfd/4YwbwYGO3bY1eYsrlg9hj+HdrldOPbe8YNLgWxxXQEdSHVhtlxNMXOUGakVWV8Uy5rJcm/qRMqAy4vfa89hpjqurR90HVOchgyHxun/YpseuWHGRiiwoyAWtVmiTsLkfQc/gDUIO5Ev9c6orH3ae4MGi+dnZ6u+RwV7Dv/brEe7DGtoWs0XgAEAcnknwAAAP//bK0adw==" } diff --git a/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc index a0baab22b26..006defed451 100644 --- a/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `host` dataset of the system module. It is implemented for Linux, macOS (Darwin), and Windows. + +[float] +==== Example dashboard + +This dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-host-dashboard.png[Auditbeat System Host Dashboard] diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml index f6955dc50ad..c2a8d43475c 100644 --- a/x-pack/auditbeat/module/system/host/_meta/fields.yml +++ b/x-pack/auditbeat/module/system/host/_meta/fields.yml @@ -6,6 +6,10 @@ fields: - name: uptime type: long + format: duration + input_format: nanoseconds + output_format: asDays + output_precision: 1 description: > Uptime in nanoseconds. - name: boottime diff --git a/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc index ea1eff21763..e57c8bbb5b3 100644 --- a/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/login/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `login` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-login-dashboard.png[Auditbeat System Login Dashboard] diff --git a/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc index 13e2be806a7..590c0587eb5 100644 --- a/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc @@ -4,5 +4,13 @@ experimental[] This is the `package` dataset of the system module. -It is implemented for Linux distributions using dpkg as their package manager, -and for Homebrew on macOS (Darwin). +It is implemented for Linux distributions using dpkg or rpm as their package +manager, and for Homebrew on macOS (Darwin). + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-package-dashboard.png[Auditbeat System Package Dashboard] diff --git a/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc index 2ae6d7943db..0550fc3c564 100644 --- a/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `process` dataset of the system module. It is implemented for Linux, macOS (Darwin), and Windows. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-process-dashboard.png[Auditbeat System Process Dashboard] diff --git a/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc index 4a81754e1e8..33319a2404b 100644 --- a/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `socket` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-socket-dashboard.png[Auditbeat System Socket Dashboard] diff --git a/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc index 6f777bba92c..32551b7b735 100644 --- a/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc +++ b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc @@ -5,3 +5,11 @@ experimental[] This is the `user` dataset of the system module. It is implemented for Linux only. + +[float] +==== Example dashboard + +The dataset comes with a sample dashboard: + +[role="screenshot"] +image:./images/auditbeat-system-user-dashboard.png[Auditbeat System User Dashboard]