github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

[SIEM] Additional Overview Network & Hosts metrics (#38005) (#38276)

Browse source 
[SIEM] Additional Overview Network & Hosts metrics (#38005)
This commit is contained in:
Steph Milovic 2019-06-06 14:21:50 -06:00 committed by GitHub
parent f1c13c9b17
commit 45c6f6e002
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 508 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

5
x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx
View file

@ -37,10 +37,7 @@ export const OverviewHost = pure<OverviewHostProps>(({ endDate, startDate, setQu
/>
}
title={
<FormattedMessage
id="xpack.siem.overview.hostsTitle"
defaultMessage="Host Beats Events"
/>
<FormattedMessage id="xpack.siem.overview.hostsTitle" defaultMessage="Host Events" />
}
>
<EuiButton href="#/link-to/hosts">

2
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap generated
View file

@ -10,6 +10,8 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
"auditbeatPackage": 2003,
"auditbeatProcess": 1200,
"auditbeatUser": 1979,
"filebeatSystemModule": 568,
"winlogbeat": 296999,
}
}
loading={false}

21
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx
View file

@ -98,6 +98,27 @@ const overviewHostStats = (data: OverviewHostData) => [
/>
),
},
{
description:
has('filebeatSystemModule', data) && data.filebeatSystemModule !== null
? numeral(data.filebeatSystemModule).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatSystemModuleTitle"
defaultMessage="Filebeat System Module"
/>
),
},
{
description:
has('winlogbeat', data) && data.winlogbeat !== null
? numeral(data.winlogbeat).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage id="xpack.siem.overview.winlogbeatTitle" defaultMessage="Winlogbeat" />
),
},
];
export const DescriptionListDescription = styled(EuiDescriptionListDescription)`

2
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts
View file

@ -14,5 +14,7 @@ export const mockData: { OverviewHost: OverviewHostData } = {
auditbeatPackage: 2003,
auditbeatProcess: 1200,
auditbeatUser: 1979,
filebeatSystemModule: 568,
winlogbeat: 296999,
},
};

5
x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx
View file

@ -37,10 +37,7 @@ export const OverviewNetwork = pure<OwnProps>(({ endDate, startDate, setQuery })
/>
}
title={
<FormattedMessage
id="xpack.siem.overview.networkTitle"
defaultMessage="Network Beats Events"
/>
<FormattedMessage id="xpack.siem.overview.networkTitle" defaultMessage="Network Events" />
}
>
<EuiButton href="#/link-to/network/">

4
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap generated
View file

@ -5,10 +5,14 @@ exports[`Overview Network Stat Data rendering it renders the default OverviewNet
data={
Object {
"auditbeatSocket": 12,
"filebeatCisco": 999,
"filebeatNetflow": 7777,
"filebeatPanw": 66,
"filebeatSuricata": 60015,
"filebeatZeek": 2003,
"packetbeatDNS": 10277307,
"packetbeatFlow": 16,
"packetbeatTLS": 3400000,
}
}
loading={false}

48
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx
View file

@ -38,6 +38,42 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [
/>
),
},
{
description:
has('filebeatCisco', data) && data.filebeatCisco !== null
? numeral(data.filebeatCisco).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatCiscoTitle"
defaultMessage="Filebeat Cisco"
/>
),
},
{
description:
has('filebeatNetflow', data) && data.filebeatNetflow !== null
? numeral(data.filebeatNetflow).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatNetflowTitle"
defaultMessage="Filebeat Netflow"
/>
),
},
{
description:
has('filebeatPanw', data) && data.filebeatPanw !== null
? numeral(data.filebeatPanw).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatPanwTitle"
defaultMessage="Filebeat Palo Alto Network"
/>
),
},
{
description:
has('filebeatSuricata', data) && data.filebeatSuricata !== null
@ -83,6 +119,18 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [
/>
),
},
{
description:
has('packetbeatTLS', data) && data.packetbeatTLS !== null
? numeral(data.packetbeatTLS).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.packetbeatTLSTitle"
defaultMessage="Packetbeat TLS"
/>
),
},
];
export const DescriptionListDescription = styled(EuiDescriptionListDescription)`

10
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts
View file

@ -8,10 +8,14 @@ import { OverviewNetworkData } from '../../../../graphql/types';
export const mockData: { OverviewNetwork: OverviewNetworkData } = {
OverviewNetwork: {
packetbeatFlow: 16,
packetbeatDNS: 10277307,
auditbeatSocket: 12,
filebeatCisco: 999,
filebeatNetflow: 7777,
filebeatPanw: 66,
filebeatSuricata: 60015,
filebeatZeek: 2003,
auditbeatSocket: 12,
packetbeatDNS: 10277307,
packetbeatFlow: 16,
packetbeatTLS: 3400000,
},
};

2
x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts
View file

@ -22,6 +22,8 @@ export const overviewHostQuery = gql`
auditbeatPackage
auditbeatProcess
auditbeatUser
filebeatSystemModule
winlogbeat
}
}
}

10
x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts
View file

@ -20,11 +20,15 @@ export const overviewNetworkQuery = gql`
filterQuery: $filterQuery
defaultIndex: $defaultIndex
) {
packetbeatFlow
packetbeatDNS
auditbeatSocket
filebeatCisco
filebeatNetflow
filebeatPanw
filebeatSuricata
filebeatZeek
auditbeatSocket
packetbeatDNS
packetbeatFlow
packetbeatTLS
}
}
}

126
x-pack/plugins/siem/public/graphql/introspection.json
View file

@ -7628,7 +7628,7 @@
"description": "",
"fields": [
{
"name": "packetbeatFlow",
"name": "auditbeatSocket",
"description": "",
"args": [],
"type": {
@ -7640,7 +7640,31 @@
"deprecationReason": null
},
{
"name": "packetbeatDNS",
"name": "filebeatCisco",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatNetflow",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatPanw",
"description": "",
"args": [],
"type": {
@ -7667,15 +7691,47 @@
"name": "filebeatZeek",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "auditbeatSocket",
"name": "packetbeatDNS",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "packetbeatFlow",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "packetbeatTLS",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
}
@ -7694,7 +7750,11 @@
"name": "auditbeatAuditd",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
@ -7702,7 +7762,11 @@
"name": "auditbeatFIM",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
@ -7710,7 +7774,11 @@
"name": "auditbeatLogin",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
@ -7718,7 +7786,11 @@
"name": "auditbeatPackage",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
@ -7726,7 +7798,11 @@
"name": "auditbeatProcess",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
@ -7734,7 +7810,35 @@
"name": "auditbeatUser",
"description": "",
"args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null },
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatSystemModule",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "winlogbeat",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
}

64
x-pack/plugins/siem/public/graphql/types.ts
View file

@ -1180,29 +1180,41 @@ export interface NetworkDnsItem {
}
export interface OverviewNetworkData {
packetbeatFlow: number;
auditbeatSocket: number;
packetbeatDNS: number;
filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number;
filebeatZeek?: number | null;
filebeatZeek: number;
auditbeatSocket?: number | null;
packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
}
export interface OverviewHostData {
auditbeatAuditd?: number | null;
auditbeatAuditd: number;
auditbeatFIM?: number | null;
auditbeatFIM: number;
auditbeatLogin?: number | null;
auditbeatLogin: number;
auditbeatPackage?: number | null;
auditbeatPackage: number;
auditbeatProcess?: number | null;
auditbeatProcess: number;
auditbeatUser?: number | null;
auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
}
export interface UncommonProcessesData {
@ -3226,17 +3238,21 @@ export namespace GetOverviewHostQuery {
export type OverviewHost = {
__typename?: 'OverviewHostData';
auditbeatAuditd?: number | null;
auditbeatAuditd: number;
auditbeatFIM?: number | null;
auditbeatFIM: number;
auditbeatLogin?: number | null;
auditbeatLogin: number;
auditbeatPackage?: number | null;
auditbeatPackage: number;
auditbeatProcess?: number | null;
auditbeatProcess: number;
auditbeatUser?: number | null;
auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
};
}
@ -3265,15 +3281,23 @@ export namespace GetOverviewNetworkQuery {
export type OverviewNetwork = {
__typename?: 'OverviewNetworkData';
packetbeatFlow: number;
auditbeatSocket: number;
packetbeatDNS: number;
filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number;
filebeatZeek?: number | null;
filebeatZeek: number;
auditbeatSocket?: number | null;
packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
};
}

26
x-pack/plugins/siem/server/graphql/overview/schema.gql.ts
View file

@ -8,20 +8,26 @@ import gql from 'graphql-tag';
export const overviewSchema = gql`
type OverviewNetworkData {
packetbeatFlow: Float!
packetbeatDNS: Float!
auditbeatSocket: Float!
filebeatCisco: Float!
filebeatNetflow: Float!
filebeatPanw: Float!
filebeatSuricata: Float!
filebeatZeek: Float
auditbeatSocket: Float
filebeatZeek: Float!
packetbeatDNS: Float!
packetbeatFlow: Float!
packetbeatTLS: Float!
}
type OverviewHostData {
auditbeatAuditd: Float
auditbeatFIM: Float
auditbeatLogin: Float
auditbeatPackage: Float
auditbeatProcess: Float
auditbeatUser: Float
auditbeatAuditd: Float!
auditbeatFIM: Float!
auditbeatLogin: Float!
auditbeatPackage: Float!
auditbeatProcess: Float!
auditbeatUser: Float!
filebeatSystemModule: Float!
winlogbeat: Float!
}
extend type Source {

116
x-pack/plugins/siem/server/graphql/types.ts
View file

@ -1209,29 +1209,41 @@ export interface NetworkDnsItem {
}
export interface OverviewNetworkData {
packetbeatFlow: number;
auditbeatSocket: number;
packetbeatDNS: number;
filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number;
filebeatZeek?: number | null;
filebeatZeek: number;
auditbeatSocket?: number | null;
packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
}
export interface OverviewHostData {
auditbeatAuditd?: number | null;
auditbeatAuditd: number;
auditbeatFIM?: number | null;
auditbeatFIM: number;
auditbeatLogin?: number | null;
auditbeatLogin: number;
auditbeatPackage?: number | null;
auditbeatPackage: number;
auditbeatProcess?: number | null;
auditbeatProcess: number;
auditbeatUser?: number | null;
auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
}
export interface UncommonProcessesData {
@ -6236,23 +6248,41 @@ export namespace NetworkDnsItemResolvers {
export namespace OverviewNetworkDataResolvers {
export interface Resolvers<Context = SiemContext, TypeParent = OverviewNetworkData> {
packetbeatFlow?: PacketbeatFlowResolver<number, TypeParent, Context>;
auditbeatSocket?: AuditbeatSocketResolver<number, TypeParent, Context>;
packetbeatDNS?: PacketbeatDnsResolver<number, TypeParent, Context>;
filebeatCisco?: FilebeatCiscoResolver<number, TypeParent, Context>;
filebeatNetflow?: FilebeatNetflowResolver<number, TypeParent, Context>;
filebeatPanw?: FilebeatPanwResolver<number, TypeParent, Context>;
filebeatSuricata?: FilebeatSuricataResolver<number, TypeParent, Context>;
filebeatZeek?: FilebeatZeekResolver<number | null, TypeParent, Context>;
filebeatZeek?: FilebeatZeekResolver<number, TypeParent, Context>;
auditbeatSocket?: AuditbeatSocketResolver<number | null, TypeParent, Context>;
packetbeatDNS?: PacketbeatDnsResolver<number, TypeParent, Context>;
packetbeatFlow?: PacketbeatFlowResolver<number, TypeParent, Context>;
packetbeatTLS?: PacketbeatTlsResolver<number, TypeParent, Context>;
}
export type PacketbeatFlowResolver<
export type AuditbeatSocketResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type PacketbeatDnsResolver<
export type FilebeatCiscoResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatNetflowResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatPanwResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
@ -6263,12 +6293,22 @@ export namespace OverviewNetworkDataResolvers {
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatZeekResolver<
R = number | null,
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatSocketResolver<
R = number | null,
export type PacketbeatDnsResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type PacketbeatFlowResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type PacketbeatTlsResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
@ -6276,46 +6316,60 @@ export namespace OverviewNetworkDataResolvers {
export namespace OverviewHostDataResolvers {
export interface Resolvers<Context = SiemContext, TypeParent = OverviewHostData> {
auditbeatAuditd?: AuditbeatAuditdResolver<number | null, TypeParent, Context>;
auditbeatAuditd?: AuditbeatAuditdResolver<number, TypeParent, Context>;
auditbeatFIM?: AuditbeatFimResolver<number | null, TypeParent, Context>;
auditbeatFIM?: AuditbeatFimResolver<number, TypeParent, Context>;
auditbeatLogin?: AuditbeatLoginResolver<number | null, TypeParent, Context>;
auditbeatLogin?: AuditbeatLoginResolver<number, TypeParent, Context>;
auditbeatPackage?: AuditbeatPackageResolver<number | null, TypeParent, Context>;
auditbeatPackage?: AuditbeatPackageResolver<number, TypeParent, Context>;
auditbeatProcess?: AuditbeatProcessResolver<number | null, TypeParent, Context>;
auditbeatProcess?: AuditbeatProcessResolver<number, TypeParent, Context>;
auditbeatUser?: AuditbeatUserResolver<number | null, TypeParent, Context>;
auditbeatUser?: AuditbeatUserResolver<number, TypeParent, Context>;
filebeatSystemModule?: FilebeatSystemModuleResolver<number, TypeParent, Context>;
winlogbeat?: WinlogbeatResolver<number, TypeParent, Context>;
}
export type AuditbeatAuditdResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatFimResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatLoginResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatPackageResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatProcessResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type AuditbeatUserResolver<
R = number | null,
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatSystemModuleResolver<
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type WinlogbeatResolver<
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;

19
x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts
View file

@ -55,6 +55,11 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockNoDataResponse.aggregations.unique_suricata_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_socket_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_packetbeat_count.unique_tls_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_cisco_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_netflow_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_panw_count.doc_count = 0;
const mockCallWithRequest = jest.fn();
mockCallWithRequest.mockResolvedValue(mockNoDataResponse);
const mockFramework: FrameworkAdapter = {
@ -76,11 +81,15 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockOptionsNetwork
);
expect(data).toEqual({
packetbeatFlow: 0,
packetbeatDNS: 0,
auditbeatSocket: 0,
filebeatCisco: 0,
filebeatNetflow: 0,
filebeatPanw: 0,
filebeatSuricata: 0,
filebeatZeek: 0,
auditbeatSocket: 0,
packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
});
});
});
@ -119,6 +128,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.filebeat_count.doc_count = 0;
mockNoDataResponse.aggregations.winlog_count.doc_count = 0;
const mockCallWithRequest = jest.fn();
mockCallWithRequest.mockResolvedValue(mockNoDataResponse);
const mockFramework: FrameworkAdapter = {
@ -146,6 +157,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
auditbeatPackage: 0,
auditbeatProcess: 0,
auditbeatUser: 0,
filebeatSystemModule: 0,
winlogbeat: 0,
});
});
});

32
x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts
View file

@ -27,11 +27,31 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
);
return {
packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response),
packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response),
auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response),
filebeatCisco: getOr(
null,
'aggregations.unique_filebeat_count.unique_cisco_count.doc_count',
response
),
filebeatNetflow: getOr(
null,
'aggregations.unique_filebeat_count.unique_netflow_count.doc_count',
response
),
filebeatPanw: getOr(
null,
'aggregations.unique_filebeat_count.unique_panw_count.doc_count',
response
),
filebeatSuricata: getOr(null, 'aggregations.unique_suricata_count.doc_count', response),
filebeatZeek: getOr(null, 'aggregations.unique_zeek_count.doc_count', response),
auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response),
packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response),
packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response),
packetbeatTLS: getOr(
null,
'aggregations.unique_packetbeat_count.unique_tls_count.doc_count',
response
),
};
}
@ -52,6 +72,12 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response),
auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response),
auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response),
filebeatSystemModule: getOr(
null,
'aggregations.system_module.filebeat_count.doc_count',
response
),
winlogbeat: getOr(null, 'aggregations.winlog_count.doc_count', response),
};
}
}

15
x-pack/plugins/siem/server/lib/overview/mock.ts
View file

@ -48,6 +48,13 @@ export const mockResponseNetwork = {
unique_suricata_count: { doc_count: 2375 },
unique_zeek_count: { doc_count: 456 },
unique_socket_count: { doc_count: 13 },
unique_filebeat_count: {
doc_count: 456756,
unique_cisco_count: { doc_count: 14 },
unique_netflow_count: { doc_count: 992 },
unique_panw_count: { doc_count: 225 },
},
unique_packetbeat_count: { doc_count: 7897896, unique_tls_count: { doc_count: 2009 } },
},
};
@ -57,6 +64,10 @@ export const mockResultNetwork = {
filebeatSuricata: 2375,
filebeatZeek: 456,
auditbeatSocket: 13,
filebeatCisco: 14,
filebeatNetflow: 992,
filebeatPanw: 225,
packetbeatTLS: 2009,
};
export const mockOptionsHost: RequestBasicOptions = {
@ -104,7 +115,9 @@ export const mockResponseHost = {
package_count: { doc_count: 2003 },
process_count: { doc_count: 1200 },
user_count: { doc_count: 1979 },
filebeat_count: { doc_count: 225 },
},
winlog_count: { doc_count: 737 },
},
};
@ -115,4 +128,6 @@ export const mockResultHost = {
auditbeatPackage: 2003,
auditbeatProcess: 1200,
auditbeatUser: 1979,
filebeatSystemModule: 225,
winlogbeat: 737,
};

48
x-pack/plugins/siem/server/lib/overview/query.dsl.ts
View file

@ -57,6 +57,40 @@ export const buildOverviewNetworkQuery = ({
term: { 'event.dataset': 'socket' },
},
},
unique_filebeat_count: {
filter: {
term: { 'agent.type': 'filebeat' },
},
aggs: {
unique_netflow_count: {
filter: {
term: { 'input.type': 'netflow' },
},
},
unique_panw_count: {
filter: {
term: { 'event.module': 'panw' },
},
},
unique_cisco_count: {
filter: {
term: { 'event.module': 'cisco' },
},
},
},
},
unique_packetbeat_count: {
filter: {
term: { 'agent.type': 'packetbeat' },
},
aggs: {
unique_tls_count: {
filter: {
term: { 'network.protocol': 'tls' },
},
},
},
},
},
query: {
bool: {
@ -111,6 +145,13 @@ export const buildOverviewHostQuery = ({
},
},
},
winlog_count: {
filter: {
term: {
'agent.type': 'winlogbeat',
},
},
},
system_module: {
filter: {
term: {
@ -146,6 +187,13 @@ export const buildOverviewHostQuery = ({
},
},
},
filebeat_count: {
filter: {
term: {
'agent.type': 'filebeat',
},
},
},
},
},
},

22
x-pack/plugins/siem/server/lib/overview/types.ts
View file

@ -35,6 +35,22 @@ export interface OverviewNetworkHit extends SearchHit {
unique_socket_count: {
doc_count: number;
};
unique_filebeat_count: {
unique_netflow_count: {
doc_count: number;
};
unique_panw_count: {
doc_count: number;
};
unique_cisco_count: {
doc_count: number;
};
};
unique_packetbeat_count: {
unique_tls_count: {
doc_count: number;
};
};
};
}
@ -59,6 +75,12 @@ export interface OverviewHostHit extends SearchHit {
user_count: {
doc_count: number;
};
filebeat_count: {
doc_count: number;
};
};
winlog_count: {
doc_count: number;
};
};
}

2
x-pack/test/api_integration/apis/siem/overview_host.ts
View file

@ -26,6 +26,8 @@ const overviewHostTests: KbnTestProvider = ({ getService }) => {
auditbeatPackage: 3,
auditbeatProcess: 7,
auditbeatUser: 6,
filebeatSystemModule: 0,
winlogbeat: 0,
__typename: 'OverviewHostData',
};

30
x-pack/test/api_integration/apis/siem/overview_network.ts
View file

@ -21,11 +21,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = {
packetbeatFlow: 0,
packetbeatDNS: 0,
auditbeatSocket: 0,
filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547,
filebeatZeek: 0,
auditbeatSocket: 0,
packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData',
};
@ -57,11 +61,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = {
packetbeatFlow: 0,
packetbeatDNS: 0,
auditbeatSocket: 0,
filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547,
filebeatZeek: 0,
auditbeatSocket: 0,
packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData',
};
@ -93,11 +101,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = {
packetbeatFlow: 0,
packetbeatDNS: 0,
auditbeatSocket: 0,
filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547,
filebeatZeek: 0,
auditbeatSocket: 0,
packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData',
};