From f75857239b87cb2f763e2cf0bfdd014e59adaa56 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Mon, 30 Aug 2021 10:05:20 +0200
Subject: [PATCH 1/2] Filebeat auditd: Fix Top Exec Commands dashboard
 visualization

This visualization was expecting an uppercase EXECVE value in
event.action while the ingest pipeline was lowercasing this value.
---
 CHANGELOG.next.asciidoc                                         | 1 +
 .../visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index c7374637883..b4d90d89f3a 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -303,6 +303,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixes the Snyk module to work with the new API changes. {pull}27358[27358]
 - Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480]
 - Update indentation for azure filebeat configuration. {pull}26604[26604]
+- Auditd: Fix Top Exec Commands dashboard visualization. {pull}NNN[NNN]
 
 *Heartbeat*
 
diff --git a/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json b/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json
index 3b93a15c4ad..068832a2f69 100644
--- a/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json
+++ b/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json
@@ -7,7 +7,7 @@
                 "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
                 "query": {
                     "language": "kuery",
-                    "query": "event.action:EXECVE"
+                    "query": "event.action:execve"
                 }
             }
         },

From 8623bb7d88421f2900be9197d93258be2b0e9e3e Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Mon, 30 Aug 2021 10:08:22 +0200
Subject: [PATCH 2/2] PR Number

---
 CHANGELOG.next.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b4d90d89f3a..b47afb28f62 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -303,7 +303,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixes the Snyk module to work with the new API changes. {pull}27358[27358]
 - Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480]
 - Update indentation for azure filebeat configuration. {pull}26604[26604]
-- Auditd: Fix Top Exec Commands dashboard visualization. {pull}NNN[NNN]
+- Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638]
 
 *Heartbeat*