diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 16415f342c3d..675bff9a94f3 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -86,6 +86,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di *Auditbeat* - Add support for SHA3 hash algorithms to the file integrity module. {issue}5345[5345] +- Add dashboards for Linux audit framework events (overview, executions, sockets). {pull}5516[5516] *Filebeat* diff --git a/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png new file mode 100644 index 000000000000..855bbc5eb37e Binary files /dev/null and b/auditbeat/docs/images/auditbeat-kernel-executions-dashboard.png differ diff --git a/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png new file mode 100644 index 000000000000..2f08cdcddbef Binary files /dev/null and b/auditbeat/docs/images/auditbeat-kernel-overview-dashboard.png differ diff --git a/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png b/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png new file mode 100644 index 000000000000..156c3f38f526 Binary files /dev/null and b/auditbeat/docs/images/auditbeat-kernel-sockets-dashboard.png differ diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json new file mode 100644 index 000000000000..b85434191167 --- /dev/null +++ b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json @@ -0,0 +1,95 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "title": "Error Codes [Auditbeat Kernel Executions]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Error Codes [Auditbeat Kernel Executions]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exit\",\"exclude\":\"0\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}" + }, + "id": "20a8e8d0-c1c8-11e7-8995-936807a28b16", + "type": "visualization", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "title": "Primary Username Tag Cloud [Auditbeat Kernel]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Primary Username Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.actor.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}" + }, + "id": "f81a6de0-c1c1-11e7-8995-936807a28b16", + "type": "visualization", + "version": 2 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "title": "Exe Name Tag Cloud [Auditbeat Kernel]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Exe Name Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}" + }, + "id": "2efac370-c1ca-11e7-8995-936807a28b16", + "type": "visualization", + "version": 1 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "audit.kernel.data.cmdline", + "audit.kernel.actor.primary", + "audit.kernel.actor.secondary", + "audit.kernel.data.exe" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"audit.kernel.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}]}" + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Process Executions [Auditbeat Kernel]", + "version": 1 + }, + "id": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "type": "search", + "version": 3 + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"f81a6de0-c1c1-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":5,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":5,\"panelIndex\":6,\"type\":\"search\",\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"col\":1,\"row\":4,\"columns\":[\"beat.hostname\",\"audit.kernel.data.cmdline\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.data.exe\"],\"sort\":[\"@timestamp\",\"desc\"]}]", + "timeRestore": false, + "title": "[Auditbeat Kernel] Executions", + "uiStateJSON": "{}", + "version": 1 + }, + "id": "7de391b0-c1ca-11e7-8995-936807a28b16", + "type": "dashboard", + "version": 3 + } + ], + "version": "6.0.0-rc2" +} \ No newline at end of file diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json new file mode 100644 index 000000000000..e76efb41ff75 --- /dev/null +++ b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json @@ -0,0 +1,82 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Event Actions [Auditbeat Kernel Overview]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Event Actions [Auditbeat Kernel Overview]\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"audit.kernel.action\",\"label\":\"Actions\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"filter\":\"metricset.name:kernel\",\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"legend_position\":\"left\"},\"aggs\":[]}" + }, + "id": "97680df0-c1c0-11e7-8995-936807a28b16", + "type": "visualization", + "version": 3 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "audit.kernel.actor.primary", + "audit.kernel.actor.secondary", + "audit.kernel.action", + "audit.kernel.thing.what", + "audit.kernel.thing.primary", + "audit.kernel.thing.secondary", + "audit.kernel.how", + "audit.kernel.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"metricset.name\",\"value\":\"kernel\",\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Audit Event Table [Auditbeat Kernel]", + "version": 1 + }, + "id": "0f10c430-c1c3-11e7-8995-936807a28b16", + "type": "search", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "title": "Event Categories [Auditbeat Kernel]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Event Categories [Auditbeat Kernel]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.category\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.action\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}" + }, + "id": "08679220-c25a-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 1 + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.action\",\"audit.kernel.thing.what\",\"audit.kernel.thing.primary\",\"audit.kernel.thing.secondary\",\"audit.kernel.how\",\"audit.kernel.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":4,\"size_x\":12,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":5,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"col\":8,\"row\":1}]", + "timeRestore": false, + "title": "[Auditbeat Kernel] Overview", + "uiStateJSON": "{}", + "version": 1 + }, + "id": "c0ac2c00-c1c0-11e7-8995-936807a28b16", + "type": "dashboard", + "version": 7 + } + ], + "version": "6.0.0-rc2" +} \ No newline at end of file diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json new file mode 100644 index 000000000000..ff7c98c98ec0 --- /dev/null +++ b/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json @@ -0,0 +1,180 @@ +{ + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":true,\"type\":\"phrase\",\"key\":\"audit.kernel.thing.secondary\",\"value\":\"0\",\"params\":{\"query\":\"0\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"apply\":true},\"query\":{\"match\":{\"audit.kernel.thing.secondary\":{\"query\":\"0\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a", + "title": "Bind (non-ephemeral) [Auditbeat Kernel]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"title\":\"Bind (non-ephemeral) [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.how\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.secondary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Port\"}}]}" + }, + "id": "faf882f0-c242-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 4 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a", + "title": "Connect [Auditbeat Kernel]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"title\":\"Connect [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.data.exe\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.thing.secondary\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}" + }, + "id": "ea483730-c246-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a", + "title": "Accept / Recvfrom Unique Address Table [Auditbeat Kernel]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", + "version": 1, + "visState": "{\"title\":\"Accept / Recvfrom Unique Address Table [Auditbeat Kernel]\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"audit.kernel.thing.primary\",\"customLabel\":\"Unique Addresses\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.how\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Exe\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"audit.kernel.data.syscall\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}]}" + }, + "id": "ceb91de0-c250-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Socket Syscalls Time Series [Auditbeat Kernel]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Socket Syscalls Time Series [Auditbeat Kernel]\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"audit.kernel.data.syscall\",\"label\":\"syscall\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"filter\":\"audit.kernel.thing.what:socket\",\"legend_position\":\"left\",\"bar_color_rules\":[{\"id\":\"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"}],\"gauge_color_rules\":[{\"id\":\"6c891740-c252-11e7-8a68-93ffe9ec5950\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"background_color_rules\":[{\"id\":\"95b603d0-c252-11e7-8a68-93ffe9ec5950\"}]},\"aggs\":[]}" + }, + "id": "b21e0c70-c252-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 1 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" + }, + "title": "Socket Families [Auditbeat Kernel]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"title\":\"Socket Families [Auditbeat Kernel]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.socket.family\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Socket Family\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.syscall\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Syscall\"}}]}" + }, + "id": "a8e20450-c256-11e7-8692-232bd1143e8a", + "type": "visualization", + "version": 3 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "audit.kernel.how", + "audit.kernel.thing.primary", + "audit.kernel.thing.secondary", + "audit.kernel.socket.family", + "audit.kernel.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"audit.kernel.action\",\"negate\":false,\"params\":{\"query\":\"bound-socket\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"bound-socket\"},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"bound-socket\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":true,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.socket.family\",\"value\":\"netlink\",\"params\":{\"query\":\"netlink\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.socket.family\":{\"query\":\"netlink\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Binds [Auditbeat Kernel]", + "version": 1 + }, + "id": "b4c93470-c240-11e7-8692-232bd1143e8a", + "type": "search", + "version": 1 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "audit.kernel.how", + "audit.kernel.thing.primary", + "audit.kernel.thing.secondary", + "audit.kernel.socket.family", + "audit.kernel.result", + "audit.kernel.data.exit" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.action\",\"value\":\"connected-to\",\"params\":{\"query\":\"connected-to\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"audit.kernel.thing.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"audit.kernel.thing.primary\"},\"$state\":{\"store\":\"appState\"}}]}" + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Connects [Auditbeat Kernel]", + "version": 1 + }, + "id": "5438b030-c246-11e7-8692-232bd1143e8a", + "type": "search", + "version": 2 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "audit.kernel.how", + "audit.kernel.thing.primary", + "audit.kernel.thing.secondary", + "audit.kernel.socket.family", + "audit.kernel.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"audit.kernel.thing.what\",\"value\":\"socket\",\"params\":{\"query\":\"socket\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"audit.kernel.thing.what\":{\"query\":\"socket\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"audit.kernel.thing.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"audit.kernel.thing.primary\"},\"$state\":{\"store\":\"appState\"}},{\"query\":{\"terms\":{\"audit.kernel.action\":[\"received-from\",\"accepted-connection-from\"]}},\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"disabled\":false,\"alias\":\"action accepted or received from\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"terms\\\":{\\\"audit.kernel.action\\\":[\\\"received-from\\\",\\\"accepted-connection-from\\\"]}}\"},\"$state\":{\"store\":\"appState\"}}]}" + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Accept / Recvfrom [Auditbeat Kernel]", + "version": 1 + }, + "id": "e8734160-c24c-11e7-8692-232bd1143e8a", + "type": "search", + "version": 1 + }, + { + "attributes": { + "description": "Summary of socket related syscall events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"col\":7,\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":1,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":2,\"row\":8,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":3,\"row\":8,\"size_x\":6,\"size_y\":5,\"type\":\"visualization\"},{\"col\":1,\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":4,\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"a8e20450-c256-11e7-8692-232bd1143e8a\",\"panelIndex\":5,\"row\":4,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"}]", + "timeRestore": false, + "title": "[Auditbeat Kernel] Sockets", + "uiStateJSON": "{\"P-1\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", + "version": 1 + }, + "id": "693a5f40-c243-11e7-8692-232bd1143e8a", + "type": "dashboard", + "version": 6 + } + ], + "version": "6.0.0-rc2" +} \ No newline at end of file diff --git a/auditbeat/module/audit/module.yml b/auditbeat/module/audit/module.yml index 8d02d7c1c637..1dea5f51f390 100644 --- a/auditbeat/module/audit/module.yml +++ b/auditbeat/module/audit/module.yml @@ -1,3 +1,12 @@ dashboards: - id: AV0tXkjYg1PYniApZbKP - file: Auditbeat-file-integrity.json + file: auditbeat-file-integrity.json + +- id: c0ac2c00-c1c0-11e7-8995-936807a28b16 + file: auditbeat-kernel-overview.json + +- id: 7de391b0-c1ca-11e7-8995-936807a28b16 + file: auditbeat-kernel-executions.json + +- id: 693a5f40-c243-11e7-8692-232bd1143e8a + file: auditbeat-kernel-sockets.json