github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[SIEM] Additional Overview Network & Hosts metrics (#38005) (#38275)

Browse source 
[SIEM] Additional Overview Network & Hosts metrics (#38005)
This commit is contained in:
Steph Milovic 2019-06-06 11:58:00 -06:00 committed by GitHub
parent 05757eb0b9
commit 60deade6ba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 508 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

5
x-pack/plugins/siem/public/components/page/overview/overview_host/index.tsx
View file

@ -37,10 +37,7 @@ export const OverviewHost = pure<OverviewHostProps>(({ endDate, startDate, setQu
/> />
} }
title={ title={
<FormattedMessage <FormattedMessage id="xpack.siem.overview.hostsTitle" defaultMessage="Host Events" />
id="xpack.siem.overview.hostsTitle"
defaultMessage="Host Beats Events"
/>
} }
> >
<EuiButton href="#/link-to/hosts"> <EuiButton href="#/link-to/hosts">

2
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap generated
View file

@ -10,6 +10,8 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt
"auditbeatPackage": 2003, "auditbeatPackage": 2003,
"auditbeatProcess": 1200, "auditbeatProcess": 1200,
"auditbeatUser": 1979, "auditbeatUser": 1979,
"filebeatSystemModule": 568,
"winlogbeat": 296999,
} }
} }
loading={false} loading={false}

21
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx
View file

@ -98,6 +98,27 @@ const overviewHostStats = (data: OverviewHostData) => [
/> />
), ),
}, },
{
description:
has('filebeatSystemModule', data) && data.filebeatSystemModule !== null
? numeral(data.filebeatSystemModule).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatSystemModuleTitle"
defaultMessage="Filebeat System Module"
/>
),
},
{
description:
has('winlogbeat', data) && data.winlogbeat !== null
? numeral(data.winlogbeat).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage id="xpack.siem.overview.winlogbeatTitle" defaultMessage="Winlogbeat" />
),
},
]; ];
export const DescriptionListDescription = styled(EuiDescriptionListDescription)` export const DescriptionListDescription = styled(EuiDescriptionListDescription)`

2
x-pack/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts
View file

@ -14,5 +14,7 @@ export const mockData: { OverviewHost: OverviewHostData } = {
auditbeatPackage: 2003, auditbeatPackage: 2003,
auditbeatProcess: 1200, auditbeatProcess: 1200,
auditbeatUser: 1979, auditbeatUser: 1979,
filebeatSystemModule: 568,
winlogbeat: 296999,
}, },
}; };

5
x-pack/plugins/siem/public/components/page/overview/overview_network/index.tsx
View file

@ -37,10 +37,7 @@ export const OverviewNetwork = pure<OwnProps>(({ endDate, startDate, setQuery })
/> />
} }
title={ title={
<FormattedMessage <FormattedMessage id="xpack.siem.overview.networkTitle" defaultMessage="Network Events" />
id="xpack.siem.overview.networkTitle"
defaultMessage="Network Beats Events"
/>
} }
> >
<EuiButton href="#/link-to/network/"> <EuiButton href="#/link-to/network/">

4
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap generated
View file

@ -5,10 +5,14 @@ exports[`Overview Network Stat Data rendering it renders the default OverviewNet
data={ data={
Object { Object {
"auditbeatSocket": 12, "auditbeatSocket": 12,
"filebeatCisco": 999,
"filebeatNetflow": 7777,
"filebeatPanw": 66,
"filebeatSuricata": 60015, "filebeatSuricata": 60015,
"filebeatZeek": 2003, "filebeatZeek": 2003,
"packetbeatDNS": 10277307, "packetbeatDNS": 10277307,
"packetbeatFlow": 16, "packetbeatFlow": 16,
"packetbeatTLS": 3400000,
} }
} }
loading={false} loading={false}

48
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx
View file

@ -38,6 +38,42 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [
/> />
), ),
}, },
{
description:
has('filebeatCisco', data) && data.filebeatCisco !== null
? numeral(data.filebeatCisco).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatCiscoTitle"
defaultMessage="Filebeat Cisco"
/>
),
},
{
description:
has('filebeatNetflow', data) && data.filebeatNetflow !== null
? numeral(data.filebeatNetflow).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatNetflowTitle"
defaultMessage="Filebeat Netflow"
/>
),
},
{
description:
has('filebeatPanw', data) && data.filebeatPanw !== null
? numeral(data.filebeatPanw).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.filebeatPanwTitle"
defaultMessage="Filebeat Palo Alto Network"
/>
),
},
{ {
description: description:
has('filebeatSuricata', data) && data.filebeatSuricata !== null has('filebeatSuricata', data) && data.filebeatSuricata !== null
@ -83,6 +119,18 @@ const overviewNetworkStats = (data: OverviewNetworkData) => [
/> />
), ),
}, },
{
description:
has('packetbeatTLS', data) && data.packetbeatTLS !== null
? numeral(data.packetbeatTLS).format('0,0')
: getEmptyTagValue(),
title: (
<FormattedMessage
id="xpack.siem.overview.packetbeatTLSTitle"
defaultMessage="Packetbeat TLS"
/>
),
},
]; ];
export const DescriptionListDescription = styled(EuiDescriptionListDescription)` export const DescriptionListDescription = styled(EuiDescriptionListDescription)`

10
x-pack/plugins/siem/public/components/page/overview/overview_network_stats/mock.ts
View file

@ -8,10 +8,14 @@ import { OverviewNetworkData } from '../../../../graphql/types';
export const mockData: { OverviewNetwork: OverviewNetworkData } = { export const mockData: { OverviewNetwork: OverviewNetworkData } = {
OverviewNetwork: { OverviewNetwork: {
packetbeatFlow: 16, auditbeatSocket: 12,
packetbeatDNS: 10277307, filebeatCisco: 999,
filebeatNetflow: 7777,
filebeatPanw: 66,
filebeatSuricata: 60015, filebeatSuricata: 60015,
filebeatZeek: 2003, filebeatZeek: 2003,
auditbeatSocket: 12, packetbeatDNS: 10277307,
packetbeatFlow: 16,
packetbeatTLS: 3400000,
}, },
}; };

2
x-pack/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts
View file

@ -22,6 +22,8 @@ export const overviewHostQuery = gql`
auditbeatPackage auditbeatPackage
auditbeatProcess auditbeatProcess
auditbeatUser auditbeatUser
filebeatSystemModule
winlogbeat
} }
} }
} }

10
x-pack/plugins/siem/public/containers/overview/overview_network/index.gql_query.ts
View file

@ -20,11 +20,15 @@ export const overviewNetworkQuery = gql`
filterQuery: $filterQuery filterQuery: $filterQuery
defaultIndex: $defaultIndex defaultIndex: $defaultIndex
) { ) {
packetbeatFlow auditbeatSocket
packetbeatDNS filebeatCisco
filebeatNetflow
filebeatPanw
filebeatSuricata filebeatSuricata
filebeatZeek filebeatZeek
auditbeatSocket packetbeatDNS
packetbeatFlow
packetbeatTLS
} }
} }
} }

126
x-pack/plugins/siem/public/graphql/introspection.json
View file

@ -7628,7 +7628,7 @@
"description": "", "description": "",
"fields": [ "fields": [
{ {
"name": "packetbeatFlow", "name": "auditbeatSocket",
"description": "", "description": "",
"args": [], "args": [],
"type": { "type": {
@ -7640,7 +7640,31 @@
"deprecationReason": null "deprecationReason": null
}, },
{ {
"name": "packetbeatDNS", "name": "filebeatCisco",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatNetflow",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatPanw",
"description": "", "description": "",
"args": [], "args": [],
"type": { "type": {
@ -7667,15 +7691,47 @@
"name": "filebeatZeek", "name": "filebeatZeek",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
{ {
"name": "auditbeatSocket", "name": "packetbeatDNS",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "packetbeatFlow",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "packetbeatTLS",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
} }
@ -7694,7 +7750,11 @@
"name": "auditbeatAuditd", "name": "auditbeatAuditd",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
@ -7702,7 +7762,11 @@
"name": "auditbeatFIM", "name": "auditbeatFIM",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
@ -7710,7 +7774,11 @@
"name": "auditbeatLogin", "name": "auditbeatLogin",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
@ -7718,7 +7786,11 @@
"name": "auditbeatPackage", "name": "auditbeatPackage",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
@ -7726,7 +7798,11 @@
"name": "auditbeatProcess", "name": "auditbeatProcess",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
}, },
@ -7734,7 +7810,35 @@
"name": "auditbeatUser", "name": "auditbeatUser",
"description": "", "description": "",
"args": [], "args": [],
"type": { "kind": "SCALAR", "name": "Float", "ofType": null }, "type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "filebeatSystemModule",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "winlogbeat",
"description": "",
"args": [],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "Float", "ofType": null }
},
"isDeprecated": false, "isDeprecated": false,
"deprecationReason": null "deprecationReason": null
} }

64
x-pack/plugins/siem/public/graphql/types.ts
View file

@ -1180,29 +1180,41 @@ export interface NetworkDnsItem {
} }
export interface OverviewNetworkData { export interface OverviewNetworkData {
packetbeatFlow: number; auditbeatSocket: number;
packetbeatDNS: number; filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number; filebeatSuricata: number;
filebeatZeek?: number | null; filebeatZeek: number;
auditbeatSocket?: number | null; packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
} }
export interface OverviewHostData { export interface OverviewHostData {
auditbeatAuditd?: number | null; auditbeatAuditd: number;
auditbeatFIM?: number | null; auditbeatFIM: number;
auditbeatLogin?: number | null; auditbeatLogin: number;
auditbeatPackage?: number | null; auditbeatPackage: number;
auditbeatProcess?: number | null; auditbeatProcess: number;
auditbeatUser?: number | null; auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
} }
export interface UncommonProcessesData { export interface UncommonProcessesData {
@ -3230,17 +3242,21 @@ export namespace GetOverviewHostQuery {
export type OverviewHost = { export type OverviewHost = {
__typename?: 'OverviewHostData'; __typename?: 'OverviewHostData';
auditbeatAuditd?: number | null; auditbeatAuditd: number;
auditbeatFIM?: number | null; auditbeatFIM: number;
auditbeatLogin?: number | null; auditbeatLogin: number;
auditbeatPackage?: number | null; auditbeatPackage: number;
auditbeatProcess?: number | null; auditbeatProcess: number;
auditbeatUser?: number | null; auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
}; };
} }
@ -3269,15 +3285,23 @@ export namespace GetOverviewNetworkQuery {
export type OverviewNetwork = { export type OverviewNetwork = {
__typename?: 'OverviewNetworkData'; __typename?: 'OverviewNetworkData';
packetbeatFlow: number; auditbeatSocket: number;
packetbeatDNS: number; filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number; filebeatSuricata: number;
filebeatZeek?: number | null; filebeatZeek: number;
auditbeatSocket?: number | null; packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
}; };
} }

26
x-pack/plugins/siem/server/graphql/overview/schema.gql.ts
View file

@ -8,20 +8,26 @@ import gql from 'graphql-tag';
export const overviewSchema = gql` export const overviewSchema = gql`
type OverviewNetworkData { type OverviewNetworkData {
packetbeatFlow: Float! auditbeatSocket: Float!
packetbeatDNS: Float! filebeatCisco: Float!
filebeatNetflow: Float!
filebeatPanw: Float!
filebeatSuricata: Float! filebeatSuricata: Float!
filebeatZeek: Float filebeatZeek: Float!
auditbeatSocket: Float packetbeatDNS: Float!
packetbeatFlow: Float!
packetbeatTLS: Float!
} }
type OverviewHostData { type OverviewHostData {
auditbeatAuditd: Float auditbeatAuditd: Float!
auditbeatFIM: Float auditbeatFIM: Float!
auditbeatLogin: Float auditbeatLogin: Float!
auditbeatPackage: Float auditbeatPackage: Float!
auditbeatProcess: Float auditbeatProcess: Float!
auditbeatUser: Float auditbeatUser: Float!
filebeatSystemModule: Float!
winlogbeat: Float!
} }
extend type Source { extend type Source {

116
x-pack/plugins/siem/server/graphql/types.ts
View file

@ -1209,29 +1209,41 @@ export interface NetworkDnsItem {
} }
export interface OverviewNetworkData { export interface OverviewNetworkData {
packetbeatFlow: number; auditbeatSocket: number;
packetbeatDNS: number; filebeatCisco: number;
filebeatNetflow: number;
filebeatPanw: number;
filebeatSuricata: number; filebeatSuricata: number;
filebeatZeek?: number | null; filebeatZeek: number;
auditbeatSocket?: number | null; packetbeatDNS: number;
packetbeatFlow: number;
packetbeatTLS: number;
} }
export interface OverviewHostData { export interface OverviewHostData {
auditbeatAuditd?: number | null; auditbeatAuditd: number;
auditbeatFIM?: number | null; auditbeatFIM: number;
auditbeatLogin?: number | null; auditbeatLogin: number;
auditbeatPackage?: number | null; auditbeatPackage: number;
auditbeatProcess?: number | null; auditbeatProcess: number;
auditbeatUser?: number | null; auditbeatUser: number;
filebeatSystemModule: number;
winlogbeat: number;
} }
export interface UncommonProcessesData { export interface UncommonProcessesData {
@ -6240,23 +6252,41 @@ export namespace NetworkDnsItemResolvers {
export namespace OverviewNetworkDataResolvers { export namespace OverviewNetworkDataResolvers {
export interface Resolvers<Context = SiemContext, TypeParent = OverviewNetworkData> { export interface Resolvers<Context = SiemContext, TypeParent = OverviewNetworkData> {
packetbeatFlow?: PacketbeatFlowResolver<number, TypeParent, Context>; auditbeatSocket?: AuditbeatSocketResolver<number, TypeParent, Context>;
packetbeatDNS?: PacketbeatDnsResolver<number, TypeParent, Context>; filebeatCisco?: FilebeatCiscoResolver<number, TypeParent, Context>;
filebeatNetflow?: FilebeatNetflowResolver<number, TypeParent, Context>;
filebeatPanw?: FilebeatPanwResolver<number, TypeParent, Context>;
filebeatSuricata?: FilebeatSuricataResolver<number, TypeParent, Context>; filebeatSuricata?: FilebeatSuricataResolver<number, TypeParent, Context>;
filebeatZeek?: FilebeatZeekResolver<number | null, TypeParent, Context>; filebeatZeek?: FilebeatZeekResolver<number, TypeParent, Context>;
auditbeatSocket?: AuditbeatSocketResolver<number | null, TypeParent, Context>; packetbeatDNS?: PacketbeatDnsResolver<number, TypeParent, Context>;
packetbeatFlow?: PacketbeatFlowResolver<number, TypeParent, Context>;
packetbeatTLS?: PacketbeatTlsResolver<number, TypeParent, Context>;
} }
export type PacketbeatFlowResolver< export type AuditbeatSocketResolver<
R = number, R = number,
Parent = OverviewNetworkData, Parent = OverviewNetworkData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type PacketbeatDnsResolver< export type FilebeatCiscoResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatNetflowResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatPanwResolver<
R = number, R = number,
Parent = OverviewNetworkData, Parent = OverviewNetworkData,
Context = SiemContext Context = SiemContext
@ -6267,12 +6297,22 @@ export namespace OverviewNetworkDataResolvers {
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type FilebeatZeekResolver< export type FilebeatZeekResolver<
R = number | null, R = number,
Parent = OverviewNetworkData, Parent = OverviewNetworkData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatSocketResolver< export type PacketbeatDnsResolver<
R = number | null, R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type PacketbeatFlowResolver<
R = number,
Parent = OverviewNetworkData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type PacketbeatTlsResolver<
R = number,
Parent = OverviewNetworkData, Parent = OverviewNetworkData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
@ -6280,46 +6320,60 @@ export namespace OverviewNetworkDataResolvers {
export namespace OverviewHostDataResolvers { export namespace OverviewHostDataResolvers {
export interface Resolvers<Context = SiemContext, TypeParent = OverviewHostData> { export interface Resolvers<Context = SiemContext, TypeParent = OverviewHostData> {
auditbeatAuditd?: AuditbeatAuditdResolver<number | null, TypeParent, Context>; auditbeatAuditd?: AuditbeatAuditdResolver<number, TypeParent, Context>;
auditbeatFIM?: AuditbeatFimResolver<number | null, TypeParent, Context>; auditbeatFIM?: AuditbeatFimResolver<number, TypeParent, Context>;
auditbeatLogin?: AuditbeatLoginResolver<number | null, TypeParent, Context>; auditbeatLogin?: AuditbeatLoginResolver<number, TypeParent, Context>;
auditbeatPackage?: AuditbeatPackageResolver<number | null, TypeParent, Context>; auditbeatPackage?: AuditbeatPackageResolver<number, TypeParent, Context>;
auditbeatProcess?: AuditbeatProcessResolver<number | null, TypeParent, Context>; auditbeatProcess?: AuditbeatProcessResolver<number, TypeParent, Context>;
auditbeatUser?: AuditbeatUserResolver<number | null, TypeParent, Context>; auditbeatUser?: AuditbeatUserResolver<number, TypeParent, Context>;
filebeatSystemModule?: FilebeatSystemModuleResolver<number, TypeParent, Context>;
winlogbeat?: WinlogbeatResolver<number, TypeParent, Context>;
} }
export type AuditbeatAuditdResolver< export type AuditbeatAuditdResolver<
R = number | null, R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatFimResolver< export type AuditbeatFimResolver<
R = number | null, R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatLoginResolver< export type AuditbeatLoginResolver<
R = number | null, R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatPackageResolver< export type AuditbeatPackageResolver<
R = number | null, R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatProcessResolver< export type AuditbeatProcessResolver<
R = number | null, R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;
export type AuditbeatUserResolver< export type AuditbeatUserResolver<
R = number | null, R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type FilebeatSystemModuleResolver<
R = number,
Parent = OverviewHostData,
Context = SiemContext
> = Resolver<R, Parent, Context>;
export type WinlogbeatResolver<
R = number,
Parent = OverviewHostData, Parent = OverviewHostData,
Context = SiemContext Context = SiemContext
> = Resolver<R, Parent, Context>; > = Resolver<R, Parent, Context>;

19
x-pack/plugins/siem/server/lib/overview/elastic_adapter.test.ts
View file

@ -55,6 +55,11 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockNoDataResponse.aggregations.unique_suricata_count.doc_count = 0; mockNoDataResponse.aggregations.unique_suricata_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0; mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_socket_count.doc_count = 0; mockNoDataResponse.aggregations.unique_socket_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_zeek_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_packetbeat_count.unique_tls_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_cisco_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_netflow_count.doc_count = 0;
mockNoDataResponse.aggregations.unique_filebeat_count.unique_panw_count.doc_count = 0;
const mockCallWithRequest = jest.fn(); const mockCallWithRequest = jest.fn();
mockCallWithRequest.mockResolvedValue(mockNoDataResponse); mockCallWithRequest.mockResolvedValue(mockNoDataResponse);
const mockFramework: FrameworkAdapter = { const mockFramework: FrameworkAdapter = {
@ -76,11 +81,15 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockOptionsNetwork mockOptionsNetwork
); );
expect(data).toEqual({ expect(data).toEqual({
packetbeatFlow: 0, auditbeatSocket: 0,
packetbeatDNS: 0, filebeatCisco: 0,
filebeatNetflow: 0,
filebeatPanw: 0,
filebeatSuricata: 0, filebeatSuricata: 0,
filebeatZeek: 0, filebeatZeek: 0,
auditbeatSocket: 0, packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
}); });
}); });
}); });
@ -119,6 +128,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.package_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0;
mockNoDataResponse.aggregations.system_module.filebeat_count.doc_count = 0;
mockNoDataResponse.aggregations.winlog_count.doc_count = 0;
const mockCallWithRequest = jest.fn(); const mockCallWithRequest = jest.fn();
mockCallWithRequest.mockResolvedValue(mockNoDataResponse); mockCallWithRequest.mockResolvedValue(mockNoDataResponse);
const mockFramework: FrameworkAdapter = { const mockFramework: FrameworkAdapter = {
@ -146,6 +157,8 @@ describe('Siem Overview elasticsearch_adapter', () => {
auditbeatPackage: 0, auditbeatPackage: 0,
auditbeatProcess: 0, auditbeatProcess: 0,
auditbeatUser: 0, auditbeatUser: 0,
filebeatSystemModule: 0,
winlogbeat: 0,
}); });
}); });
}); });

32
x-pack/plugins/siem/server/lib/overview/elasticsearch_adapter.ts
View file

@ -27,11 +27,31 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
); );
return { return {
packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response), auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response),
packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response), filebeatCisco: getOr(
null,
'aggregations.unique_filebeat_count.unique_cisco_count.doc_count',
response
),
filebeatNetflow: getOr(
null,
'aggregations.unique_filebeat_count.unique_netflow_count.doc_count',
response
),
filebeatPanw: getOr(
null,
'aggregations.unique_filebeat_count.unique_panw_count.doc_count',
response
),
filebeatSuricata: getOr(null, 'aggregations.unique_suricata_count.doc_count', response), filebeatSuricata: getOr(null, 'aggregations.unique_suricata_count.doc_count', response),
filebeatZeek: getOr(null, 'aggregations.unique_zeek_count.doc_count', response), filebeatZeek: getOr(null, 'aggregations.unique_zeek_count.doc_count', response),
auditbeatSocket: getOr(null, 'aggregations.unique_socket_count.doc_count', response), packetbeatDNS: getOr(null, 'aggregations.unique_dns_count.doc_count', response),
packetbeatFlow: getOr(null, 'aggregations.unique_flow_count.doc_count', response),
packetbeatTLS: getOr(
null,
'aggregations.unique_packetbeat_count.unique_tls_count.doc_count',
response
),
}; };
} }
@ -52,6 +72,12 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter {
auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response), auditbeatPackage: getOr(null, 'aggregations.system_module.package_count.doc_count', response),
auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response), auditbeatProcess: getOr(null, 'aggregations.system_module.process_count.doc_count', response),
auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response), auditbeatUser: getOr(null, 'aggregations.system_module.user_count.doc_count', response),
filebeatSystemModule: getOr(
null,
'aggregations.system_module.filebeat_count.doc_count',
response
),
winlogbeat: getOr(null, 'aggregations.winlog_count.doc_count', response),
}; };
} }
} }

15
x-pack/plugins/siem/server/lib/overview/mock.ts
View file

@ -48,6 +48,13 @@ export const mockResponseNetwork = {
unique_suricata_count: { doc_count: 2375 }, unique_suricata_count: { doc_count: 2375 },
unique_zeek_count: { doc_count: 456 }, unique_zeek_count: { doc_count: 456 },
unique_socket_count: { doc_count: 13 }, unique_socket_count: { doc_count: 13 },
unique_filebeat_count: {
doc_count: 456756,
unique_cisco_count: { doc_count: 14 },
unique_netflow_count: { doc_count: 992 },
unique_panw_count: { doc_count: 225 },
},
unique_packetbeat_count: { doc_count: 7897896, unique_tls_count: { doc_count: 2009 } },
}, },
}; };
@ -57,6 +64,10 @@ export const mockResultNetwork = {
filebeatSuricata: 2375, filebeatSuricata: 2375,
filebeatZeek: 456, filebeatZeek: 456,
auditbeatSocket: 13, auditbeatSocket: 13,
filebeatCisco: 14,
filebeatNetflow: 992,
filebeatPanw: 225,
packetbeatTLS: 2009,
}; };
export const mockOptionsHost: RequestBasicOptions = { export const mockOptionsHost: RequestBasicOptions = {
@ -104,7 +115,9 @@ export const mockResponseHost = {
package_count: { doc_count: 2003 }, package_count: { doc_count: 2003 },
process_count: { doc_count: 1200 }, process_count: { doc_count: 1200 },
user_count: { doc_count: 1979 }, user_count: { doc_count: 1979 },
filebeat_count: { doc_count: 225 },
}, },
winlog_count: { doc_count: 737 },
}, },
}; };
@ -115,4 +128,6 @@ export const mockResultHost = {
auditbeatPackage: 2003, auditbeatPackage: 2003,
auditbeatProcess: 1200, auditbeatProcess: 1200,
auditbeatUser: 1979, auditbeatUser: 1979,
filebeatSystemModule: 225,
winlogbeat: 737,
}; };

48
x-pack/plugins/siem/server/lib/overview/query.dsl.ts
View file

@ -57,6 +57,40 @@ export const buildOverviewNetworkQuery = ({
term: { 'event.dataset': 'socket' }, term: { 'event.dataset': 'socket' },
}, },
}, },
unique_filebeat_count: {
filter: {
term: { 'agent.type': 'filebeat' },
},
aggs: {
unique_netflow_count: {
filter: {
term: { 'input.type': 'netflow' },
},
},
unique_panw_count: {
filter: {
term: { 'event.module': 'panw' },
},
},
unique_cisco_count: {
filter: {
term: { 'event.module': 'cisco' },
},
},
},
},
unique_packetbeat_count: {
filter: {
term: { 'agent.type': 'packetbeat' },
},
aggs: {
unique_tls_count: {
filter: {
term: { 'network.protocol': 'tls' },
},
},
},
},
}, },
query: { query: {
bool: { bool: {
@ -111,6 +145,13 @@ export const buildOverviewHostQuery = ({
}, },
}, },
}, },
winlog_count: {
filter: {
term: {
'agent.type': 'winlogbeat',
},
},
},
system_module: { system_module: {
filter: { filter: {
term: { term: {
@ -146,6 +187,13 @@ export const buildOverviewHostQuery = ({
}, },
}, },
}, },
filebeat_count: {
filter: {
term: {
'agent.type': 'filebeat',
},
},
},
}, },
}, },
}, },

22
x-pack/plugins/siem/server/lib/overview/types.ts
View file

@ -35,6 +35,22 @@ export interface OverviewNetworkHit extends SearchHit {
unique_socket_count: { unique_socket_count: {
doc_count: number; doc_count: number;
}; };
unique_filebeat_count: {
unique_netflow_count: {
doc_count: number;
};
unique_panw_count: {
doc_count: number;
};
unique_cisco_count: {
doc_count: number;
};
};
unique_packetbeat_count: {
unique_tls_count: {
doc_count: number;
};
};
}; };
} }
@ -59,6 +75,12 @@ export interface OverviewHostHit extends SearchHit {
user_count: { user_count: {
doc_count: number; doc_count: number;
}; };
filebeat_count: {
doc_count: number;
};
};
winlog_count: {
doc_count: number;
}; };
}; };
} }

2
x-pack/test/api_integration/apis/siem/overview_host.ts
View file

@ -26,6 +26,8 @@ const overviewHostTests: KbnTestProvider = ({ getService }) => {
auditbeatPackage: 3, auditbeatPackage: 3,
auditbeatProcess: 7, auditbeatProcess: 7,
auditbeatUser: 6, auditbeatUser: 6,
filebeatSystemModule: 0,
winlogbeat: 0,
__typename: 'OverviewHostData', __typename: 'OverviewHostData',
}; };

30
x-pack/test/api_integration/apis/siem/overview_network.ts
View file

@ -21,11 +21,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = { const expectedResult = {
packetbeatFlow: 0, auditbeatSocket: 0,
packetbeatDNS: 0, filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547, filebeatSuricata: 4547,
filebeatZeek: 0, filebeatZeek: 0,
auditbeatSocket: 0, packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData', __typename: 'OverviewNetworkData',
}; };
@ -57,11 +61,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf(); const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = { const expectedResult = {
packetbeatFlow: 0, auditbeatSocket: 0,
packetbeatDNS: 0, filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547, filebeatSuricata: 4547,
filebeatZeek: 0, filebeatZeek: 0,
auditbeatSocket: 0, packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData', __typename: 'OverviewNetworkData',
}; };
@ -93,11 +101,15 @@ const overviewNetworkTests: KbnTestProvider = ({ getService }) => {
const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf(); const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf(); const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const expectedResult = { const expectedResult = {
packetbeatFlow: 0, auditbeatSocket: 0,
packetbeatDNS: 0, filebeatCisco: 0,
filebeatNetflow: 1273,
filebeatPanw: 0,
filebeatSuricata: 4547, filebeatSuricata: 4547,
filebeatZeek: 0, filebeatZeek: 0,
auditbeatSocket: 0, packetbeatDNS: 0,
packetbeatFlow: 0,
packetbeatTLS: 0,
__typename: 'OverviewNetworkData', __typename: 'OverviewNetworkData',
}; };