mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
[ML] Updates to jobs and dashboards in auditbeat process modules (#27233)
This commit is contained in:
Pete Harverson
GitHub
parent
55aafcec59
commit
c334c40453
42 changed files with 316 additions and 374 deletions
|
|
@ -14,6 +14,11 @@ const ML_DIR = 'ml';
|
|||
const KIBANA_DIR = 'kibana';
|
||||
const INDEX_PATTERN_ID = 'INDEX_PATTERN_ID';
|
||||
const INDEX_PATTERN_NAME = 'INDEX_PATTERN_NAME';
|
||||
export const SAVED_OBJECT_TYPES = {
|
||||
DASHBOARD: 'dashboard',
|
||||
SEARCH: 'search',
|
||||
VISUALIZATION: 'visualization'
|
||||
};
|
||||
|
||||
export class DataRecognizer {
|
||||
constructor(callWithRequest) {
|
||||
|
|
@ -572,8 +577,8 @@ export class DataRecognizer {
|
|||
}
|
||||
}
|
||||
|
||||
// loop through each kibana saved objects and replace the INDEX_PATTERN_ID
|
||||
// marker for the id of the specified index pattern
|
||||
// loop through each kibana saved object and replace any INDEX_PATTERN_ID and
|
||||
// INDEX_PATTERN_NAME markers for the id or name of the specified index pattern
|
||||
updateSavedObjectIndexPatterns(moduleConfig) {
|
||||
if (moduleConfig.kibana) {
|
||||
Object.keys(moduleConfig.kibana).forEach((category) => {
|
||||
|
|
@ -583,6 +588,16 @@ export class DataRecognizer {
|
|||
jsonString = jsonString.replace(new RegExp(INDEX_PATTERN_ID, 'g'), this.indexPatternId);
|
||||
item.config.kibanaSavedObjectMeta.searchSourceJSON = jsonString;
|
||||
}
|
||||
|
||||
if (category === SAVED_OBJECT_TYPES.VISUALIZATION) {
|
||||
// Look for any INDEX_PATTERN_NAME tokens in visualization visState,
|
||||
// as e.g. Vega visualizations reference the Elasticsearch index pattern directly.
|
||||
let visStateString = item.config.visState;
|
||||
if (visStateString !== undefined && visStateString.match(INDEX_PATTERN_NAME)) {
|
||||
visStateString = visStateString.replace(new RegExp(INDEX_PATTERN_NAME, 'g'), this.indexPatternName);
|
||||
item.config.visState = visStateString;
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Audit Events",
|
||||
"description": "All events occurring within docker containers",
|
||||
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":13,\"i\":\"1\"},\"version\":\"6.4.0\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_count\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":13,\"y\":0,\"w\":35,\"h\":13,\"i\":\"2\"},\"version\":\"6.4.0\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_images\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"3\"},\"version\":\"6.4.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_container_event_volume\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":26,\"w\":24,\"h\":15,\"i\":\"4\"},\"version\":\"6.4.0\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_processes\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":26,\"w\":24,\"h\":15,\"i\":\"5\"},\"version\":\"6.4.0\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_process_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":15,\"i\":\"6\"},\"version\":\"6.4.0\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_docker_commands\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":41,\"w\":24,\"h\":15,\"i\":\"7\"},\"version\":\"6.4.0\",\"panelIndex\":\"7\",\"type\":\"search\",\"id\":\"ml_auditbeat_docker_events\",\"embeddableConfig\":{}}]",
|
||||
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":true,\"hidePanelTitles\":false}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Process Event Rate",
|
||||
"hits": 0,
|
||||
"description": "Dashboard to investigate unusual process event rates in a Docker container",
|
||||
"panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":14,\"i\":\"1\"},\"id\":\"ml_auditbeat_docker_process_event_rate_vis\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"ml_auditbeat_docker_process_event_rate_by_process\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":20,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"search\",\"id\":\"ml_auditbeat_docker_process_events\",\"embeddableConfig\":{}}]",
|
||||
"optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Process Explorer",
|
||||
"hits": 0,
|
||||
"description": "Dashboard to explore processes for a Docker container",
|
||||
"panelsJSON": "[{\"embeddableConfig\": {},\"gridData\": {\"x\": 0,\"y\": 0,\"w\": 25,\"h\": 22,\"i\": \"1\"},\"id\": \"ml_auditbeat_docker_process_occurrence\",\"panelIndex\": \"1\",\"type\": \"visualization\",\"version\": \"6.6.0\"},{\"gridData\": {\"x\": 0,\"y\": 22,\"w\": 48,\"h\": 35,\"i\": \"2\"},\"version\": \"6.6.0\",\"panelIndex\": \"2\",\"type\": \"search\",\"id\": \"ml_auditbeat_docker_process_events\",\"embeddableConfig\": {}},{\"gridData\": {\"x\": 25,\"y\": 0,\"w\": 23,\"h\": 22,\"i\": \"3\"},\"version\": \"6.6.0\",\"panelIndex\": \"3\",\"type\": \"visualization\",\"id\": \"ml_auditbeat_docker_process_event_rate_by_process\",\"embeddableConfig\": {\"vis\": {\"legendOpen\": true}}}\n]",
|
||||
"optionsJSON": "{\"darkTheme\": false,\"hidePanelTitles\": false,\"useMargins\": true\n}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"lucene\"},\"filter\": []\n}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Docker Events",
|
||||
"description": "Audit Events Correlated with Docker Metadata",
|
||||
"title": "ML Auditbeat Docker: Process Events",
|
||||
"description": "Auditbeat process events in Docker containers",
|
||||
"hits": 0,
|
||||
"columns": [
|
||||
"_source"
|
||||
|
|
@ -11,6 +11,6 @@
|
|||
],
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":false,\"index\":\"INDEX_PATTERN_ID\",\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Commands",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Commands\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.title\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Container Count",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Container Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"docker.container.id\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Container Event Volume",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Container Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"docker.container.id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Container Images",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Container Images\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"docker.container.image\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Process Event Rate by Process",
|
||||
"visState": "{\"title\": \"ML Auditbeat Docker: Event Rate by Process\",\"type\": \"histogram\",\"params\": {\"type\": \"histogram\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": { \"type\": \"linear\"},\"labels\": { \"show\": true, \"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": { \"type\": \"linear\", \"mode\": \"normal\"},\"labels\": { \"show\": true, \"rotate\": 0, \"filter\": false, \"truncate\": 100},\"title\": { \"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"histogram\",\"mode\": \"stacked\",\"data\": { \"label\": \"Count\", \"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"process.exe\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_process_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Process Event Rate",
|
||||
"visState": "{\"title\": \"ML Auditbeat Docker: Process Event Rate\",\"type\": \"line\",\"params\": {\"type\": \"line\",\"grid\": { \"categoryLines\": false, \"style\": { \"color\": \"#eee\" }},\"categoryAxes\": [ { \"id\": \"CategoryAxis-1\", \"type\": \"category\", \"position\": \"bottom\", \"show\": true, \"style\": {}, \"scale\": { \"type\": \"linear\" }, \"labels\": { \"show\": true, \"truncate\": 100 }, \"title\": {} }],\"valueAxes\": [ { \"id\": \"ValueAxis-1\", \"name\": \"LeftAxis-1\", \"type\": \"value\", \"position\": \"left\", \"show\": true, \"style\": {}, \"scale\": { \"type\": \"linear\", \"mode\": \"normal\" }, \"labels\": { \"show\": true, \"rotate\": 0, \"filter\": false, \"truncate\": 100 }, \"title\": { \"text\": \"Count\" } }],\"seriesParams\": [ { \"show\": \"true\", \"type\": \"line\", \"mode\": \"normal\", \"data\": { \"label\": \"Count\", \"id\": \"1\" }, \"valueAxis\": \"ValueAxis-1\", \"drawLinesBetweenPoints\": true, \"showCircles\": true }],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{ \"id\": \"1\", \"enabled\": true, \"type\": \"count\", \"schema\": \"metric\", \"params\": {}},{ \"id\": \"2\", \"enabled\": true, \"type\": \"date_histogram\", \"schema\": \"segment\", \"params\": { \"field\": \"@timestamp\", \"useNormalizedEsInterval\": true, \"interval\": \"auto\", \"time_zone\": \"UTC\", \"drop_partials\": false, \"customInterval\": \"2h\", \"min_doc_count\": 1, \"extended_bounds\": {} }},{ \"id\": \"3\", \"enabled\": true, \"type\": \"terms\", \"schema\": \"group\", \"params\": { \"field\": \"beat.name\", \"size\": 10, \"order\": \"desc\", \"orderBy\": \"1\", \"otherBucket\": false, \"otherBucketLabel\": \"Other\", \"missingBucket\": false, \"missingBucketLabel\": \"Missing\" }}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_process_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Process Occurrence (experimental)",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Process Occurrence\",\"type\":\"vega\",\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega-lite/v2.json\\n mark: {type: \\\"point\\\"}\\n data: {\\n url: {\\n index: \\\"INDEX_PATTERN_NAME\\\"\\n body: {\\n size: 10000\\n query: {\\n bool: {\\n must: [\\n %dashboard_context-must_clause%\\n {\\n exists: {field: \\\"process.exe\\\"}\\n }\\n {\\n function_score: {\\n random_score: {seed: 10, field: \\\"_seq_no\\\"}\\n }\\n }\\n {\\n range: {\\n @timestamp: {\\n %timefilter%: true\\n }\\n }\\n }\\n ]\\n must_not: [\\n \\\"%dashboard_context-must_not_clause%\\\"\\n ]\\n }\\n }\\n script_fields: {\\n process_exe: {\\n script: {source: \\\"params['_source']['process']['exe']\\\"}\\n }\\n }\\n _source: [\\\"@timestamp\\\", \\\"process_exe\\\"]\\n }\\n }\\n format: {property: \\\"hits.hits\\\"}\\n }\\n transform: [\\n {calculate: \\\"toDate(datum._source['@timestamp'])\\\", as: \\\"time\\\"}\\n ]\\n encoding: {\\n x: {\\n field: time\\n type: temporal\\n axis: {labels: true, ticks: true, title: false},\\n timeUnit: utcyearmonthdatehoursminutes\\n }\\n y: {\\n field: fields.process_exe\\n type: ordinal\\n sort: {op: \\\"count\\\", order: \\\"descending\\\"}\\n axis: {labels: true, title: \\\"occurrence of process.exe\\\", ticks: false}\\n }\\n }\\n config: {\\n style: {\\n point: {filled: true}\\n }\\n }\\n}\"},\"aggs\":[]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
|
||||
{
|
||||
"title": "ML Auditbeat Docker: Process Presence",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Process Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process.exe\",\"customLabel\":\"Unique\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"docker.container.name\",\"size\":1,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"row\":true}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Docker: Processes",
|
||||
"visState": "{\"title\":\"ML Auditbeat Docker: Processes\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"docker.container.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"row\":true}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_docker_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"id": "auditbeat_process_docker",
|
||||
"title": "Auditbeat Docker processes",
|
||||
"description": "Detect unusual processes on Docker containers",
|
||||
"title": "Auditbeat Docker Processes",
|
||||
"description": "Detect unusual processes in Docker containers",
|
||||
"type": "Auditbeat data",
|
||||
"logoFile": "logo.json",
|
||||
"defaultIndexPattern": "auditbeat-*",
|
||||
|
|
@ -23,63 +23,55 @@
|
|||
},
|
||||
"jobs": [
|
||||
{
|
||||
"id": "docker_high_count_events",
|
||||
"file": "docker_high_count_events.json"
|
||||
"id": "docker_high_count_process_events",
|
||||
"file": "docker_high_count_process_events.json"
|
||||
},
|
||||
{
|
||||
"id": "docker_suspicious_process_activity",
|
||||
"file": "docker_suspicious_process_activity.json"
|
||||
"id": "docker_rare_process_activity",
|
||||
"file": "docker_rare_process_activity.json"
|
||||
}
|
||||
],
|
||||
"datafeeds": [
|
||||
{
|
||||
"id": "datafeed-docker_high_count_events",
|
||||
"file": "datafeed_docker_high_count_events.json",
|
||||
"job_id": "docker_high_count_events"
|
||||
"id": "datafeed-docker_high_count_process_events",
|
||||
"file": "datafeed_docker_high_count_process_events.json",
|
||||
"job_id": "docker_high_count_process_events"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-docker_suspicious_process_activity",
|
||||
"file": "datafeed_docker_suspicious_process_activity.json",
|
||||
"job_id": "docker_suspicious_process_activity"
|
||||
"id": "datafeed-docker_rare_process_activity",
|
||||
"file": "datafeed_docker_rare_process_activity.json",
|
||||
"job_id": "docker_rare_process_activity"
|
||||
}
|
||||
],
|
||||
"kibana": {
|
||||
"dashboard": [
|
||||
{
|
||||
"id": "ml_auditbeat_docker_audit_events",
|
||||
"file": "ml_auditbeat_docker_audit_events.json"
|
||||
"id": "ml_auditbeat_docker_process_event_rate",
|
||||
"file": "ml_auditbeat_docker_process_event_rate.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_process_explorer",
|
||||
"file": "ml_auditbeat_docker_process_explorer.json"
|
||||
}
|
||||
],
|
||||
"search": [
|
||||
{
|
||||
"id": "ml_auditbeat_docker_events",
|
||||
"file": "ml_auditbeat_docker_events.json"
|
||||
"id": "ml_auditbeat_docker_process_events",
|
||||
"file": "ml_auditbeat_docker_process_events.json"
|
||||
}
|
||||
],
|
||||
"visualization": [
|
||||
{
|
||||
"id": "ml_auditbeat_docker_commands",
|
||||
"file": "ml_auditbeat_docker_commands.json"
|
||||
"id": "ml_auditbeat_docker_process_event_rate_by_process",
|
||||
"file": "ml_auditbeat_docker_process_event_rate_by_process.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_container_count",
|
||||
"file": "ml_auditbeat_docker_container_count.json"
|
||||
"id": "ml_auditbeat_docker_process_event_rate_vis",
|
||||
"file": "ml_auditbeat_docker_process_event_rate_vis.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_container_event_volume",
|
||||
"file": "ml_auditbeat_docker_container_event_volume.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_container_images",
|
||||
"file": "ml_auditbeat_docker_container_images.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_processes",
|
||||
"file": "ml_auditbeat_docker_processes.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_docker_process_presence",
|
||||
"file": "ml_auditbeat_docker_process_presence.json"
|
||||
"id": "ml_auditbeat_docker_process_occurrence",
|
||||
"file": "ml_auditbeat_docker_process_occurrence.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
},
|
||||
{
|
||||
"exists": {
|
||||
"field":"docker.container.id"
|
||||
"field": "docker.container.id"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat: Detect Unusual Increases in Docker Process Volume",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "high_count partitionfield=\"docker.container.id\"",
|
||||
"function": "high_count",
|
||||
"partition_field_name": "docker.container.id"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.exe"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb",
|
||||
"categorization_examples_limit": 4
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Docker Events",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_docker_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'docker.container.id:\"$docker.container.id$\"'))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat: Detect Unusual Increases in Process Rates in Docker Containers",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "high_count partitionfield=\"docker.container.id\"",
|
||||
"function": "high_count",
|
||||
"partition_field_name": "docker.container.id"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"docker.container.id",
|
||||
"process.exe"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb",
|
||||
"categorization_examples_limit": 4
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Raw Data",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))"
|
||||
},
|
||||
{
|
||||
"url_name": "Process Rate",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_docker_process_event_rate?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat: Detect Rare Process Executions in Docker Containers",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"function": "rare",
|
||||
"by_field_name": "process.exe",
|
||||
"partition_field_name": "docker.container.id"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"docker.container.id",
|
||||
"process.exe"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Raw Data",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/discover?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(index:'INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022 AND process.exe:\u0022$process.exe$\u0022\u0027))"
|
||||
},
|
||||
{
|
||||
"url_name": "Process Explorer",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_docker_process_explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat: Detect Rare Process Executions in Docker Containers",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by 'process.exe'",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.exe"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.exe",
|
||||
"docker.container.id"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Docker Events",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_docker_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'docker.container.id:\"$docker.container.id$\" AND process.exe:\"$process.exe$\"'))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Audit Events",
|
||||
"description": "All events occuring directly on host machines",
|
||||
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":12,\"i\":\"1\"},\"version\":\"6.4.0\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_event_volume\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":12,\"w\":24,\"h\":15,\"i\":\"2\"},\"version\":\"6.4.0\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_kernel_actions\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":12,\"w\":24,\"h\":15,\"i\":\"3\"},\"version\":\"6.4.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_kernel_action_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":15,\"i\":\"4\"},\"version\":\"6.4.0\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_processes\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"5\"},\"version\":\"6.4.0\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_process_presence\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":42,\"w\":24,\"h\":15,\"i\":\"6\"},\"version\":\"6.4.0\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_command_line\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":42,\"w\":24,\"h\":15,\"i\":\"7\"},\"version\":\"6.4.0\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_exe_thing\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":0,\"y\":57,\"w\":24,\"h\":15,\"i\":\"8\"},\"version\":\"6.4.0\",\"panelIndex\":\"8\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_events\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":24,\"y\":57,\"w\":24,\"h\":15,\"i\":\"9\"},\"version\":\"6.4.0\",\"panelIndex\":\"9\",\"type\":\"search\",\"id\":\"ml_auditbeat_all_events\",\"embeddableConfig\":{}}]",
|
||||
"optionsJSON": "{\"darkTheme\":false,\"useMargins\":true,\"hidePanelTitles\":false}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Event Rate",
|
||||
"hits": 0,
|
||||
"description": "Dashboard to investigate unusual process event rates on a host.",
|
||||
"panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":14,\"i\":\"1\"},\"id\":\"ml_auditbeat_hosts_process_event_rate_vis\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"ml_auditbeat_hosts_process_event_rate_by_process\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":20,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_process_events\",\"embeddableConfig\":{}}]",
|
||||
"optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Explorer",
|
||||
"hits": 0,
|
||||
"description": "Dashboard to explore processes for a host",
|
||||
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":25,\"h\":22,\"i\":\"1\"},\"id\":\"ml_auditbeat_hosts_process_occurrence\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":35,\"i\":\"2\"},\"version\":\"6.6.0\",\"panelIndex\":\"2\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_process_events\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":22,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_process_event_rate_by_process\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}}}\n]",
|
||||
"optionsJSON": "{\"darkTheme\": false,\"hidePanelTitles\": false,\"useMargins\": true\n}",
|
||||
"version": 1,
|
||||
"timeRestore": false,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"lucene\"},\"filter\": []}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat: All Events",
|
||||
"description": "All Audit Events Captured By Auditbeat",
|
||||
"hits": 0,
|
||||
"columns": [
|
||||
"_source"
|
||||
],
|
||||
"sort": [
|
||||
"@timestamp",
|
||||
"desc"
|
||||
],
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Host Events",
|
||||
"description": "Audit Events occurring directly on host machines",
|
||||
"title": "ML Auditbeat Hosts: Process Events",
|
||||
"description": "Auditbeat process events on host machines",
|
||||
"hits": 0,
|
||||
"columns": [
|
||||
"_source"
|
||||
|
|
@ -11,6 +11,6 @@
|
|||
],
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
"searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Command Line",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Command Line\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.title\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Event Volume",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Event Volume\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"beat.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Exe Thing",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Exe Thing\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auditd.summary.object.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Kernel Action Presence",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Kernel Action Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of event.action\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique count of event.action\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"event.action\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Kernel Actions",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Kernel Actions\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.action\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Event Rate by Process",
|
||||
"visState": "{\"title\": \"ML Auditbeat Hosts: Event Rate by Process\",\"type\": \"histogram\",\"params\": {\"type\": \"histogram\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"histogram\",\"mode\": \"stacked\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"process.exe\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_process_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Event Rate",
|
||||
"visState":"{\"title\":\"ML Auditbeat Hosts: Process Event Rate\",\"type\": \"line\",\"params\": {\"type\": \"line\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"line\",\"mode\": \"normal\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"beat.name\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_process_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Occurrence (experimental)",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Process Occurrence\",\"type\":\"vega\",\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega-lite/v2.json\\n mark: {type: \\\"point\\\"}\\n data: {\\n url: {\\n index: \\\"INDEX_PATTERN_NAME\\\"\\n body: {\\n size: 10000\\n query: {\\n bool: {\\n must: [\\n %dashboard_context-must_clause%\\n {\\n exists: {field: \\\"process.exe\\\"}\\n }\\n {\\n function_score: {\\n random_score: {seed: 10, field: \\\"_seq_no\\\"}\\n }\\n }\\n {\\n range: {\\n @timestamp: {\\n %timefilter%: true\\n }\\n }\\n }\\n ]\\n must_not: [\\n \\\"%dashboard_context-must_not_clause%\\\"\\n ]\\n }\\n }\\n script_fields: {\\n process_exe: {\\n script: {source: \\\"params['_source']['process']['exe']\\\"}\\n }\\n }\\n _source: [\\\"@timestamp\\\", \\\"process_exe\\\"]\\n }\\n }\\n format: {property: \\\"hits.hits\\\"}\\n }\\n transform: [\\n {calculate: \\\"toDate(datum._source['@timestamp'])\\\", as: \\\"time\\\"}\\n ]\\n encoding: {\\n x: {\\n field: time\\n type: temporal\\n axis: {labels: true, ticks: true, title: false},\\n timeUnit: utcyearmonthdatehoursminutes\\n }\\n y: {\\n field: fields.process_exe\\n type: ordinal\\n sort: {op: \\\"count\\\", order: \\\"descending\\\"}\\n axis: {labels: true, title: \\\"occurrence of process.exe\\\", ticks: false}\\n }\\n }\\n config: {\\n style: {\\n point: {filled: true}\\n }\\n }\\n}\"},\"aggs\":[]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Process Presence",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Process Presence\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of process.exe\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Unique count of process.exe\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"process.exe\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{
|
||||
"title": "ML Auditbeat Hosts: Processes",
|
||||
"visState": "{\"title\":\"ML Auditbeat Hosts: Processes\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
|
||||
"uiStateJSON": "{}",
|
||||
"description": "",
|
||||
"savedSearchId": "ml_auditbeat_hosts_events",
|
||||
"version": 1,
|
||||
"kibanaSavedObjectMeta": {
|
||||
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "auditbeat_process_hosts",
|
||||
"title": "Auditbeat host processes",
|
||||
"title": "Auditbeat Host Processes",
|
||||
"description": "Detect unusual processes on hosts",
|
||||
"type": "Auditbeat data",
|
||||
"logoFile": "logo.json",
|
||||
|
|
@ -25,71 +25,55 @@
|
|||
},
|
||||
"jobs": [
|
||||
{
|
||||
"id": "hosts_high_count_events",
|
||||
"file": "hosts_high_count_events.json"
|
||||
"id": "hosts_high_count_process_events",
|
||||
"file": "hosts_high_count_process_events.json"
|
||||
},
|
||||
{
|
||||
"id": "hosts_suspicious_process_activity",
|
||||
"file": "hosts_suspicious_process_activity.json"
|
||||
"id": "hosts_rare_process_activity",
|
||||
"file": "hosts_rare_process_activity.json"
|
||||
}
|
||||
],
|
||||
"datafeeds": [
|
||||
{
|
||||
"id": "datafeed-hosts_high_count_events",
|
||||
"file": "datafeed_hosts_high_count_events.json",
|
||||
"job_id": "hosts_high_count_events"
|
||||
"id": "datafeed-hosts_high_count_process_events",
|
||||
"file": "datafeed_hosts_high_count_process_events.json",
|
||||
"job_id": "hosts_high_count_process_events"
|
||||
},
|
||||
{
|
||||
"id": "datafeed-hosts_suspicious_process_activity",
|
||||
"file": "datafeed_hosts_suspicious_process_activity.json",
|
||||
"job_id": "hosts_suspicious_process_activity"
|
||||
"id": "datafeed-hosts_rare_process_activity",
|
||||
"file": "datafeed_hosts_rare_process_activity.json",
|
||||
"job_id": "hosts_rare_process_activity"
|
||||
}
|
||||
],
|
||||
"kibana": {
|
||||
"dashboard": [
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_audit_events",
|
||||
"file": "ml_auditbeat_hosts_audit_events.json"
|
||||
"id": "ml_auditbeat_hosts_process_event_rate",
|
||||
"file": "ml_auditbeat_hosts_process_event_rate.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_process_explorer",
|
||||
"file": "ml_auditbeat_hosts_process_explorer.json"
|
||||
}
|
||||
],
|
||||
"search": [
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_events",
|
||||
"file": "ml_auditbeat_hosts_events.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_all_events",
|
||||
"file": "ml_auditbeat_all_events.json"
|
||||
"id": "ml_auditbeat_hosts_process_events",
|
||||
"file": "ml_auditbeat_hosts_process_events.json"
|
||||
}
|
||||
],
|
||||
"visualization": [
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_command_line",
|
||||
"file": "ml_auditbeat_hosts_command_line.json"
|
||||
"id": "ml_auditbeat_hosts_process_event_rate_by_process",
|
||||
"file": "ml_auditbeat_hosts_process_event_rate_by_process.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_event_volume",
|
||||
"file": "ml_auditbeat_hosts_event_volume.json"
|
||||
"id": "ml_auditbeat_hosts_process_event_rate_vis",
|
||||
"file": "ml_auditbeat_hosts_process_event_rate_vis.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_exe_thing",
|
||||
"file": "ml_auditbeat_hosts_exe_thing.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_kernel_action_presence",
|
||||
"file": "ml_auditbeat_hosts_kernel_action_presence.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_kernel_actions",
|
||||
"file": "ml_auditbeat_hosts_kernel_actions.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_process_presence",
|
||||
"file": "ml_auditbeat_hosts_process_presence.json"
|
||||
},
|
||||
{
|
||||
"id": "ml_auditbeat_hosts_processes",
|
||||
"file": "ml_auditbeat_hosts_processes.json"
|
||||
"id": "ml_auditbeat_hosts_process_occurrence",
|
||||
"file": "ml_auditbeat_hosts_process_occurrence.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat Hosts: Detect Unusual Increases in Host Process Volume",
|
||||
"description": "Auditbeat Hosts: Detect Unusual Increases in Host Process Rate",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
|
|
@ -27,9 +27,14 @@
|
|||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Events",
|
||||
"url_name": "Raw Data",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.name:\"$beat.name$\"'))"
|
||||
"url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))"
|
||||
},
|
||||
{
|
||||
"url_name": "Process Rate",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_hosts_process_event_rate?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat Hosts: Detect Rare Process Executions on Hosts",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"function": "rare",
|
||||
"by_field_name": "process.exe",
|
||||
"partition_field_name": "beat.name"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"beat.name",
|
||||
"process.exe"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Raw Data",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022 AND process.exe:\u0022$process.exe$\u0022\u0027))"
|
||||
},
|
||||
{
|
||||
"url_name": "Process Explorer",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_hosts_process_explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
{
|
||||
"job_type": "anomaly_detector",
|
||||
"description": "Auditbeat Hosts: Detect Rare Process Executions on Hosts",
|
||||
"groups": ["auditbeat"],
|
||||
"analysis_config": {
|
||||
"bucket_span": "1h",
|
||||
"detectors": [
|
||||
{
|
||||
"detector_description": "rare by 'process.exe'",
|
||||
"function": "rare",
|
||||
"by_field_name": "process.exe"
|
||||
}
|
||||
],
|
||||
"influencers": [
|
||||
"process.exe",
|
||||
"beat.name"
|
||||
]
|
||||
},
|
||||
"analysis_limits": {
|
||||
"model_memory_limit": "256mb"
|
||||
},
|
||||
"data_description": {
|
||||
"time_field": "@timestamp",
|
||||
"time_format": "epoch_ms"
|
||||
},
|
||||
"custom_settings": {
|
||||
"custom_urls": [
|
||||
{
|
||||
"url_name": "Host Events",
|
||||
"time_range": "1h",
|
||||
"url_value": "kibana#/dashboard/ml_auditbeat_hosts_audit_events?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(filters:!(),query:(language:lucene,query:'beat.name:\"$beat.name$\" AND process.exe:\"$process.exe$\"'))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue