Add more tutorials for Filebeat modules (SIEM) (#36768) (#36930)

* iptables/ubiquiti
* cisco asa
* envoyproxy

src/legacy/core_plugins/kibana/server/tutorials/cisco_logs/index.js

@@ -0,0 +1,66 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { i18n }  from '@kbn/i18n';
+import { TUTORIAL_CATEGORY } from '../../../common/tutorials/tutorial_category';
+import { onPremInstructions, cloudInstructions, onPremCloudInstructions } from '../../../common/tutorials/filebeat_instructions';
+
+export function ciscoLogsSpecProvider(server, context) {
+  const moduleName = 'cisco';
+  const platforms = ['OSX', 'DEB', 'RPM', 'WINDOWS'];
+  return {
+    id: 'ciscoLogs',
+    name: i18n.translate('kbn.server.tutorials.ciscoLogs.nameTitle', {
+      defaultMessage: 'Cisco',
+    }),
+    category: TUTORIAL_CATEGORY.SECURITY,
+    shortDescription: i18n.translate('kbn.server.tutorials.ciscoLogs.shortDescription', {
+      defaultMessage: 'Collect and parse logs received from Cisco ASA firewalls.',
+    }),
+    longDescription: i18n.translate('kbn.server.tutorials.ciscoLogs.longDescription', {
+      defaultMessage: 'This is a module for Cisco network device’s logs. Currently \
+supports the "asa" fileset for Cisco ASA firewall logs received over syslog or read from a file. \
+[Learn more]({learnMoreLink}).',
+      values: {
+        learnMoreLink: '{config.docs.beats.filebeat}/filebeat-module-cisco.html',
+      },
+    }),
+    //euiIconType: 'logoCisco',
+    artifacts: {
+      dashboards: [],
+      application: {
+        path: '/app/siem',
+        label: i18n.translate(
+          'kbn.server.tutorials.ciscoLogs.artifacts.dashboards.linkLabel',
+          {
+            defaultMessage: 'SIEM App',
+          }
+        ),
+      },
+      exportedFields: {
+        documentationUrl: '{config.docs.beats.filebeat}/exported-fields-cisco.html'
+      }
+    },
+    completionTimeMinutes: 10,
+    previewImagePath: '/plugins/kibana/home/tutorial_resources/cisco_logs/screenshot.png',
+    onPrem: onPremInstructions(moduleName, platforms, context),
+    elasticCloud: cloudInstructions(moduleName, platforms),
+    onPremElasticCloud: onPremCloudInstructions(moduleName, platforms)
+  };
+}

src/legacy/core_plugins/kibana/server/tutorials/envoyproxy_logs/index.js

@@ -0,0 +1,66 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { i18n }  from '@kbn/i18n';
+import { TUTORIAL_CATEGORY } from '../../../common/tutorials/tutorial_category';
+import { onPremInstructions, cloudInstructions, onPremCloudInstructions } from '../../../common/tutorials/filebeat_instructions';
+
+export function envoyproxyLogsSpecProvider(server, context) {
+  const moduleName = 'envoyproxy';
+  const platforms = ['OSX', 'DEB', 'RPM', 'WINDOWS'];
+  return {
+    id: 'envoyproxyLogs',
+    name: i18n.translate('kbn.server.tutorials.envoyproxyLogs.nameTitle', {
+      defaultMessage: 'Envoyproxy',
+    }),
+    category: TUTORIAL_CATEGORY.SECURITY,
+    shortDescription: i18n.translate('kbn.server.tutorials.envoyproxyLogs.shortDescription', {
+      defaultMessage: 'Collect and parse logs received from the Envoy proxy.',
+    }),
+    longDescription: i18n.translate('kbn.server.tutorials.envoyproxyLogs.longDescription', {
+      defaultMessage: 'This is a filebeat module for [Envoy proxy access log](https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). \
+It supports both standalone deployment and Envoy proxy deployment in Kubernetes. \
+[Learn more]({learnMoreLink}).',
+      values: {
+        learnMoreLink: '{config.docs.beats.filebeat}/filebeat-module-envoyproxy.html',
+      },
+    }),
+    //euiIconType: 'logoCisco',
+    artifacts: {
+      dashboards: [],
+      application: {
+        path: '/app/siem',
+        label: i18n.translate(
+          'kbn.server.tutorials.envoyproxyLogs.artifacts.dashboards.linkLabel',
+          {
+            defaultMessage: 'SIEM App',
+          }
+        ),
+      },
+      exportedFields: {
+        documentationUrl: '{config.docs.beats.filebeat}/exported-fields-envoyproxy.html'
+      }
+    },
+    completionTimeMinutes: 10,
+    previewImagePath: '/plugins/kibana/home/tutorial_resources/envoyproxy_logs/screenshot.png',
+    onPrem: onPremInstructions(moduleName, platforms, context),
+    elasticCloud: cloudInstructions(moduleName, platforms),
+    onPremElasticCloud: onPremCloudInstructions(moduleName, platforms)
+  };
+}

src/legacy/core_plugins/kibana/server/tutorials/iptables_logs/index.js

@@ -0,0 +1,68 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { i18n }  from '@kbn/i18n';
+import { TUTORIAL_CATEGORY } from '../../../common/tutorials/tutorial_category';
+import { onPremInstructions, cloudInstructions, onPremCloudInstructions } from '../../../common/tutorials/filebeat_instructions';
+
+export function iptablesLogsSpecProvider(server, context) {
+  const moduleName = 'iptables';
+  const platforms = ['DEB', 'RPM'];
+  return {
+    id: 'iptablesLogs',
+    name: i18n.translate('kbn.server.tutorials.iptablesLogs.nameTitle', {
+      defaultMessage: 'Iptables / Ubiquiti',
+    }),
+    category: TUTORIAL_CATEGORY.SECURITY,
+    shortDescription: i18n.translate('kbn.server.tutorials.iptablesLogs.shortDescription', {
+      defaultMessage: 'Collect and parse iptables and ip6tables logs or from Ubiqiti firewalls.',
+    }),
+    longDescription: i18n.translate('kbn.server.tutorials.iptablesLogs.longDescription', {
+      defaultMessage: 'This is a module for iptables and ip6tables logs. It parses logs \
+received over the network via syslog or from a file. Also, it understands the \
+prefix added by some Ubiquiti firewalls, which includes the rule set name, rule \
+number and the action performed on the traffic (allow/deny).. \
+[Learn more]({learnMoreLink}).',
+      values: {
+        learnMoreLink: '{config.docs.beats.filebeat}/filebeat-module-iptables.html',
+      },
+    }),
+    //euiIconType: 'logoUbiquiti',
+    artifacts: {
+      dashboards: [],
+      application: {
+        path: '/app/siem',
+        label: i18n.translate(
+          'kbn.server.tutorials.iptablesLogs.artifacts.dashboards.linkLabel',
+          {
+            defaultMessage: 'SIEM App',
+          }
+        ),
+      },
+      exportedFields: {
+        documentationUrl: '{config.docs.beats.filebeat}/exported-fields-iptables.html'
+      }
+    },
+    completionTimeMinutes: 10,
+    previewImagePath: '/plugins/kibana/home/tutorial_resources/iptables_logs/screenshot.png',
+    onPrem: onPremInstructions(moduleName, platforms, context),
+    elasticCloud: cloudInstructions(moduleName, platforms),
+    onPremElasticCloud: onPremCloudInstructions(moduleName, platforms)
+  };
+}

src/legacy/core_plugins/kibana/server/tutorials/register.js

@@ -71,6 +71,9 @@ import { natsLogsSpecProvider } from './nats_logs';
 import { corednsMetricsSpecProvider } from './coredns_metrics';
 import { corednsLogsSpecProvider } from './coredns_logs';
 import { auditbeatSpecProvider } from './auditbeat';
+import { iptablesLogsSpecProvider } from './iptables_logs';
+import { ciscoLogsSpecProvider } from './cisco_logs';
+import { envoyproxyLogsSpecProvider } from './envoyproxy_logs';
 
 export function registerTutorials(server) {
   server.registerTutorial(systemLogsSpecProvider);
@@ -127,4 +130,7 @@ export function registerTutorials(server) {
   server.registerTutorial(corednsMetricsSpecProvider);
   server.registerTutorial(corednsLogsSpecProvider);
   server.registerTutorial(auditbeatSpecProvider);
+  server.registerTutorial(iptablesLogsSpecProvider);
+  server.registerTutorial(ciscoLogsSpecProvider);
+  server.registerTutorial(envoyproxyLogsSpecProvider);
 }