From 5575bfb03b30bf7a6bbe48d12cbcacb2af98d25a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 27 Nov 2019 01:37:35 -0500 Subject: [PATCH] [Filebeat] Add dashboards to CEF module (#14342) * Import Arcsight module dashboards from Logstash Load dashboards to Kibana 8 via Logstash module setup. Then use mage exportDashboard to download each of them to Beats. * Change index pattern from arcsight-* to filebeat-* * Make UUIDs unique from Logstash module * Change [ArcSight] to [Filebeat CEF] in titles * Fix dashboard IDs in navigation * Update field names in dashboards * Convert CEF extension value data types Previously all of cef.extensions.* were string values. Now it uses the data types that are defined for each CEF field to do the translation within the processor. If the field is not the correct data type then the value is dropped from the event in order to avoid mapping exceptions at index time. * Add fields for ArcSight to the mapping These fields aren't specifically in CEF. They are commonly used in ArcSight. * Exclude cef.extension fields from default_field and update dashboards * Add descriptions to dashboards (cherry picked from commit a77de0d3e2a095ffa325d8aeb9193d5b96f11d1d) --- CHANGELOG.next.asciidoc | 2 + filebeat/docs/fields.asciidoc | 1500 ++++++++++- .../filebeat-cef-endpoint-os-activity.json | 1998 ++++++++++++++ .../filebeat-cef-endpoint-overview.json | 1765 ++++++++++++ .../dashboard/filebeat-cef-microsoft-dns.json | 1796 +++++++++++++ .../filebeat-cef-network-overview.json | 2354 +++++++++++++++++ ...ebeat-cef-network-suspicious-activity.json | 1614 +++++++++++ .../module/cef/log/test/cef.log-expected.json | 10 +- .../processors/decode_cef/_meta/fields.yml | 673 ++++- .../filebeat/processors/decode_cef/cef/cef.go | 53 +- .../processors/decode_cef/cef/cef_test.go | 119 +- .../processors/decode_cef/cef/keys.go | 812 ++++-- .../processors/decode_cef/cef/types.go | 141 + .../processors/decode_cef/decode_cef.go | 23 +- .../processors/decode_cef/decode_cef_test.go | 2 +- .../filebeat/processors/decode_cef/fields.go | 2 +- .../processors/decode_cef/keys.ecs.go | 489 +--- .../testdata/samples.log.golden.json | 168 +- 18 files changed, 12776 insertions(+), 745 deletions(-) create mode 100644 x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-os-activity.json create mode 100644 x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-overview.json create mode 100644 x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-microsoft-dns.json create mode 100644 x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-overview.json create mode 100644 x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-suspicious-activity.json create mode 100644 x-pack/filebeat/processors/decode_cef/cef/types.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e453fef2bf0e..c36e83f10237 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -25,6 +25,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] +- CEF extensions are now mapped to the data types defined in the CEF guide. {pull}14342[14342] *Heartbeat* @@ -118,6 +119,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358] - Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010] - Add new fileset googlecloud/audit for ingesting Google Cloud Audit logs. {pull}15200[15200] +- Add dashboards to the CEF module (ported from the Logstash ArcSight module). {pull}14342[14342] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b188baaeb1cf..f3105771a6c9 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -2887,13 +2887,1507 @@ type: keyword -- -*`cef.extensions`*:: +[float] +=== extensions + +Collection of key-value pairs carried in the CEF extension field. + + + +*`cef.extensions.agentAddress`*:: ++ +-- +The IP address of the ArcSight connector that processed the event. + +type: ip + +-- + +*`cef.extensions.agentDnsDomain`*:: ++ +-- +The DNS domain name of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentHostName`*:: ++ +-- +The hostname of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentId`*:: ++ +-- +The agent ID of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentMacAddress`*:: ++ +-- +The MAC address of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentNtDomain`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.agentReceiptTime`*:: ++ +-- +The time at which information about the event was received by the ArcSight connector. + +type: date + +-- + +*`cef.extensions.agentTimeZone`*:: ++ +-- +The agent time zone of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentTranslatedAddress`*:: ++ +-- +None + +type: ip + +-- + +*`cef.extensions.agentTranslatedZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.agentTranslatedZoneURI`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.agentType`*:: ++ +-- +The agent type of the ArcSight connector that processed the event + +type: keyword + +-- + +*`cef.extensions.agentVersion`*:: ++ +-- +The version of the ArcSight connector that processed the event. + +type: keyword + +-- + +*`cef.extensions.agentZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.agentZoneURI`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.applicationProtocol`*:: ++ +-- +Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. + +type: keyword + +-- + +*`cef.extensions.baseEventCount`*:: ++ +-- +A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. + +type: long + +-- + +*`cef.extensions.bytesIn`*:: ++ +-- +Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. + +type: long + +-- + +*`cef.extensions.bytesOut`*:: ++ +-- +Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + +type: long + +-- + +*`cef.extensions.customerExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.customerURI`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.destinationAddress`*:: ++ +-- +Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. + +type: ip + +-- + +*`cef.extensions.destinationDnsDomain`*:: ++ +-- +The DNS domain part of the complete fully qualified domain name (FQDN). + +type: keyword + +-- + +*`cef.extensions.destinationGeoLatitude`*:: ++ +-- +The latitudinal value from which the destination's IP address belongs. + +type: double + +-- + +*`cef.extensions.destinationGeoLongitude`*:: ++ +-- +The longitudinal value from which the destination's IP address belongs. + +type: double + +-- + +*`cef.extensions.destinationHostName`*:: ++ +-- +Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. + +type: keyword + +-- + +*`cef.extensions.destinationMacAddress`*:: ++ +-- +Six colon-seperated hexadecimal numbers. + +type: keyword + +-- + +*`cef.extensions.destinationNtDomain`*:: ++ +-- +The Windows domain name of the destination address. + +type: keyword + +-- + +*`cef.extensions.destinationPort`*:: ++ +-- +The valid port numbers are between 0 and 65535. + +type: long + +-- + +*`cef.extensions.destinationProcessId`*:: ++ +-- +Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. + +type: long + +-- + +*`cef.extensions.destinationProcessName`*:: ++ +-- +The name of the event's destination process. + +type: keyword + +-- + +*`cef.extensions.destinationServiceName`*:: ++ +-- +The service targeted by this event. + +type: keyword + +-- + +*`cef.extensions.destinationTranslatedAddress`*:: ++ +-- +Identifies the translated destination that the event refers to in an IP network. + +type: ip + +-- + +*`cef.extensions.destinationTranslatedPort`*:: ++ +-- +Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. + +type: long + +-- + +*`cef.extensions.destinationTranslatedZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.destinationTranslatedZoneURI`*:: ++ +-- +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.destinationUserId`*:: ++ +-- +Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. + +type: keyword + +-- + +*`cef.extensions.destinationUserName`*:: ++ +-- +Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. + +type: keyword + +-- + +*`cef.extensions.destinationUserPrivileges`*:: ++ +-- +The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". + +type: keyword + +-- + +*`cef.extensions.destinationZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.destinationZoneURI`*:: ++ +-- +The URI for the Zone that the destination asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.deviceAction`*:: ++ +-- +Action taken by the device. + +type: keyword + +-- + +*`cef.extensions.deviceAddress`*:: ++ +-- +Identifies the device address that an event refers to in an IP network. + +type: ip + +-- + +*`cef.extensions.deviceCustomFloatingPoint1Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomFloatingPoint3Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomFloatingPoint4Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomDate1`*:: ++ +-- +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + +type: date + +-- + +*`cef.extensions.deviceCustomDate1Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomDate2`*:: ++ +-- +One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + +type: date + +-- + +*`cef.extensions.deviceCustomDate2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomFloatingPoint1`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. + +type: double + +-- + +*`cef.extensions.deviceCustomFloatingPoint2`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. + +type: double + +-- + +*`cef.extensions.deviceCustomFloatingPoint2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomFloatingPoint3`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. + +type: double + +-- + +*`cef.extensions.deviceCustomFloatingPoint4`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. + +type: double + +-- + +*`cef.extensions.deviceCustomIPv6Address1Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomIPv6Address4`*:: ++ +-- +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + +type: ip + +-- + +*`cef.extensions.deviceCustomIPv6Address4Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomIPv6Address1`*:: ++ +-- +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + +type: ip + +-- + +*`cef.extensions.deviceCustomIPv6Address3`*:: ++ +-- +One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + +type: ip + +-- + +*`cef.extensions.deviceCustomIPv6Address3Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomNumber1`*:: ++ +-- +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: long + +-- + +*`cef.extensions.deviceCustomNumber1Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.DeviceCustomNumber2`*:: ++ +-- +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: long + +-- + +*`cef.extensions.deviceCustomNumber2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomNumber3`*:: ++ +-- +One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: long + +-- + +*`cef.extensions.deviceCustomNumber3Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString1`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString1Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString2`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString2Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString3`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString3Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString4`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString4Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString5`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString5Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString6`*:: ++ +-- +One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + +type: keyword + +-- + +*`cef.extensions.deviceCustomString6Label`*:: ++ +-- +All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + +type: keyword + +-- + +*`cef.extensions.deviceDirection`*:: ++ +-- +Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. + +type: long + +-- + +*`cef.extensions.deviceDnsDomain`*:: ++ +-- +The DNS domain part of the complete fully qualified domain name (FQDN). + +type: keyword + +-- + +*`cef.extensions.deviceEventCategory`*:: ++ +-- +Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". + +type: keyword + +-- + +*`cef.extensions.deviceExternalId`*:: ++ +-- +A name that uniquely identifies the device generating this event. + +type: keyword + +-- + +*`cef.extensions.deviceFacility`*:: ++ +-- +The facility generating this event. For example, Syslog has an explicit facility associated with every event. + +type: keyword + +-- + +*`cef.extensions.deviceHostName`*:: ++ +-- +The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. + +type: keyword + +-- + +*`cef.extensions.deviceInboundInterface`*:: ++ +-- +Interface on which the packet or data entered the device. + +type: keyword + +-- + +*`cef.extensions.deviceMacAddress`*:: ++ +-- +Six colon-separated hexadecimal numbers. + +type: keyword + +-- + +*`cef.extensions.deviceNtDomain`*:: ++ +-- +The Windows domain name of the device address. + +type: keyword + +-- + +*`cef.extensions.deviceOutboundInterface`*:: ++ +-- +Interface on which the packet or data left the device. + +type: keyword + +-- + +*`cef.extensions.devicePayloadId`*:: ++ +-- +Unique identifier for the payload associated with the event. + +type: keyword + +-- + +*`cef.extensions.deviceProcessId`*:: ++ +-- +Provides the ID of the process on the device generating the event. + +type: long + +-- + +*`cef.extensions.deviceProcessName`*:: ++ +-- +Process name associated with the event. An example might be the process generating the syslog entry in UNIX. + +type: keyword + +-- + +*`cef.extensions.deviceReceiptTime`*:: ++ +-- +The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + +type: date + +-- + +*`cef.extensions.deviceTimeZone`*:: ++ +-- +The timezone for the device generating the event. + +type: keyword + +-- + +*`cef.extensions.deviceTranslatedAddress`*:: ++ +-- +Identifies the translated device address that the event refers to in an IP network. + +type: ip + +-- + +*`cef.extensions.deviceTranslatedZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.deviceTranslatedZoneURI`*:: ++ +-- +The URI for the Translated Zone that the device asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.deviceZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.deviceZoneURI`*:: ++ +-- +Thee URI for the Zone that the device asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.endTime`*:: ++ +-- +The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. + +type: date + +-- + +*`cef.extensions.eventId`*:: ++ +-- +This is a unique ID that ArcSight assigns to each event. + +type: long + +-- + +*`cef.extensions.eventOutcome`*:: ++ +-- +Displays the outcome, usually as 'success' or 'failure'. + +type: keyword + +-- + +*`cef.extensions.externalId`*:: ++ +-- +The ID used by an originating device. They are usually increasing numbers, associated with events. + +type: keyword + +-- + +*`cef.extensions.fileCreateTime`*:: ++ +-- +Time when the file was created. + +type: date + +-- + +*`cef.extensions.fileHash`*:: ++ +-- +Hash of a file. + +type: keyword + +-- + +*`cef.extensions.fileId`*:: ++ +-- +An ID associated with a file could be the inode. + +type: keyword + +-- + +*`cef.extensions.fileModificationTime`*:: ++ +-- +Time when the file was last modified. + +type: date + +-- + +*`cef.extensions.filename`*:: ++ +-- +Name of the file only (without its path). + +type: keyword + +-- + +*`cef.extensions.filePath`*:: ++ +-- +Full path to the file, including file name itself. + +type: keyword + +-- + +*`cef.extensions.filePermission`*:: ++ +-- +Permissions of the file. + +type: keyword + +-- + +*`cef.extensions.fileSize`*:: ++ +-- +Size of the file. + +type: long + +-- + +*`cef.extensions.fileType`*:: ++ +-- +Type of file (pipe, socket, etc.) + +type: keyword + +-- + +*`cef.extensions.flexDate1`*:: ++ +-- +A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: date + +-- + +*`cef.extensions.flexDate1Label`*:: ++ +-- +The label field is a string and describes the purpose of the flex field. + +type: keyword + +-- + +*`cef.extensions.flexString1`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: keyword + +-- + +*`cef.extensions.flexString2`*:: ++ +-- +One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + +type: keyword + +-- + +*`cef.extensions.flexString1Label`*:: ++ +-- +The label field is a string and describes the purpose of the flex field. + +type: keyword + +-- + +*`cef.extensions.flexString2Label`*:: ++ +-- +The label field is a string and describes the purpose of the flex field. + +type: keyword + +-- + +*`cef.extensions.message`*:: ++ +-- +An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. + +type: keyword + +-- + +*`cef.extensions.oldFileCreateTime`*:: ++ +-- +Time when old file was created. + +type: date + +-- + +*`cef.extensions.oldFileHash`*:: ++ +-- +Hash of the old file. + +type: keyword + +-- + +*`cef.extensions.oldFileId`*:: ++ +-- +An ID associated with the old file could be the inode. + +type: keyword + +-- + +*`cef.extensions.oldFileModificationTime`*:: ++ +-- +Time when old file was last modified. + +type: date + +-- + +*`cef.extensions.oldFileName`*:: ++ +-- +Name of the old file. + +type: keyword + +-- + +*`cef.extensions.oldFilePath`*:: ++ +-- +Full path to the old file, including the file name itself. + +type: keyword + +-- + +*`cef.extensions.oldFilePermission`*:: ++ +-- +Permissions of the old file. + +type: keyword + +-- + +*`cef.extensions.oldFileSize`*:: ++ +-- +Size of the old file. + +type: long + +-- + +*`cef.extensions.oldFileType`*:: ++ +-- +Type of the old file (pipe, socket, etc.) + +type: keyword + +-- + +*`cef.extensions.rawEvent`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.Reason`*:: + -- -Collection of key-value pairs carried in the CEF extension field. +The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". +type: keyword -type: object +-- + +*`cef.extensions.requestClientApplication`*:: ++ +-- +The User-Agent associated with the request. + +type: keyword + +-- + +*`cef.extensions.requestContext`*:: ++ +-- +Description of the content from which the request originated (for example, HTTP Referrer) + +type: keyword + +-- + +*`cef.extensions.requestCookies`*:: ++ +-- +Cookies associated with the request. + +type: keyword + +-- + +*`cef.extensions.requestMethod`*:: ++ +-- +The HTTP method used to access a URL. + +type: keyword + +-- + +*`cef.extensions.requestUrl`*:: ++ +-- +In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. + +type: keyword + +-- + +*`cef.extensions.sourceAddress`*:: ++ +-- +Identifies the source that an event refers to in an IP network. + +type: ip + +-- + +*`cef.extensions.sourceDnsDomain`*:: ++ +-- +The DNS domain part of the complete fully qualified domain name (FQDN). + +type: keyword + +-- + +*`cef.extensions.sourceGeoLatitude`*:: ++ +-- +None + +type: double + +-- + +*`cef.extensions.sourceGeoLongitude`*:: ++ +-- +None + +type: double + +-- + +*`cef.extensions.sourceHostName`*:: ++ +-- +Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. Examples: 'host' or 'host.domain.com'. + + +type: keyword + +-- + +*`cef.extensions.sourceMacAddress`*:: ++ +-- +Six colon-separated hexadecimal numbers. + +type: keyword + +example: 00:0d:60:af:1b:61 + +-- + +*`cef.extensions.sourceNtDomain`*:: ++ +-- +The Windows domain name for the source address. + +type: keyword + +-- + +*`cef.extensions.sourcePort`*:: ++ +-- +The valid port numbers are 0 to 65535. + +type: long + +-- + +*`cef.extensions.sourceProcessId`*:: ++ +-- +The ID of the source process associated with the event. + +type: long + +-- + +*`cef.extensions.sourceProcessName`*:: ++ +-- +The name of the event's source process. + +type: keyword + +-- + +*`cef.extensions.sourceServiceName`*:: ++ +-- +The service that is responsible for generating this event. + +type: keyword + +-- + +*`cef.extensions.sourceTranslatedAddress`*:: ++ +-- +Identifies the translated source that the event refers to in an IP network. + +type: ip + +-- + +*`cef.extensions.sourceTranslatedPort`*:: ++ +-- +A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. + +type: long + +-- + +*`cef.extensions.sourceTranslatedZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.sourceTranslatedZoneURI`*:: ++ +-- +The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.sourceUserId`*:: ++ +-- +Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + +type: keyword + +-- + +*`cef.extensions.sourceUserName`*:: ++ +-- +Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. + +type: keyword + +-- + +*`cef.extensions.sourceUserPrivileges`*:: ++ +-- +The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". + +type: keyword + +-- + +*`cef.extensions.sourceZoneExternalID`*:: ++ +-- +None + +type: keyword + +-- + +*`cef.extensions.sourceZoneURI`*:: ++ +-- +The URI for the Zone that the source asset has been assigned to in ArcSight. + +type: keyword + +-- + +*`cef.extensions.startTime`*:: ++ +-- +The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + +type: date + +-- + +*`cef.extensions.transportProtocol`*:: ++ +-- +Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. + +type: keyword + +-- + +*`cef.extensions.type`*:: ++ +-- +0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). + +type: long + +-- + +*`cef.extensions.categoryDeviceType`*:: ++ +-- +Device type. Examples - Proxy, IDS, Web Server + +type: keyword + +-- + +*`cef.extensions.categoryObject`*:: ++ +-- +Object that the event is about. For example it can be an operating sytem, database, file, etc. + +type: keyword + +-- + +*`cef.extensions.categoryBehavior`*:: ++ +-- +Action or a behavior associated with an event. It's what is being done to the object. + +type: keyword + +-- + +*`cef.extensions.categoryTechnique`*:: ++ +-- +Technique being used (e.g. /DoS). + +type: keyword + +-- + +*`cef.extensions.categoryDeviceGroup`*:: ++ +-- +General device group like Firewall. + +type: keyword + +-- + +*`cef.extensions.categorySignificance`*:: ++ +-- +Characterization of the importance of the event. + +type: keyword + +-- + +*`cef.extensions.categoryOutcome`*:: ++ +-- +Outcome of the event (e.g. sucess, failure, or attempt). + +type: keyword + +-- + +*`cef.extensions.managerReceiptTime`*:: ++ +-- +When the Arcsight ESM received the event. + +type: date -- diff --git a/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-os-activity.json b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-os-activity.json new file mode 100644 index 000000000000..ae3cf1074e83 --- /dev/null +++ b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-os-activity.json @@ -0,0 +1,1998 @@ +{ + "objects": [ + { + "attributes": { + "description": "Operating system activity from endpoints.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "colors": { + "Count": "#64B0C8", + "Destination User Names": "#E24D42", + "Event Types": "#EF843C" + }, + "legendOpen": true + } + }, + "gridData": { + "h": 12, + "i": "3", + "w": 24, + "x": 0, + "y": 28 + }, + "panelIndex": "3", + "panelRefName": "panel_0", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "gridData": { + "h": 8, + "i": "4", + "w": 40, + "x": 0, + "y": 4 + }, + "panelIndex": "4", + "panelRefName": "panel_1", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 55k": "rgb(255,255,204)", + "110k - 165k": "rgb(254,225,135)", + "165k - 220k": "rgb(254,201,101)", + "220k - 275k": "rgb(254,171,73)", + "275k - 330k": "rgb(253,141,60)", + "330k - 385k": "rgb(252,91,46)", + "385k - 440k": "rgb(237,47,34)", + "440k - 495k": "rgb(212,16,32)", + "495k - 550k": "rgb(176,0,38)", + "55k - 110k": "rgb(255,241,170)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 12, + "i": "5", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "5", + "panelRefName": "panel_2", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "7", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "7", + "panelRefName": "panel_3", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#447EBC", + "/Failure": "#E24D42", + "/Success": "#7EB26D" + } + } + }, + "gridData": { + "h": 12, + "i": "8", + "w": 24, + "x": 24, + "y": 52 + }, + "panelIndex": "8", + "panelRefName": "panel_4", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 24, + "i": "9", + "w": 24, + "x": 0, + "y": 40 + }, + "panelIndex": "9", + "panelRefName": "panel_5", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "10", + "w": 24, + "x": 24, + "y": 40 + }, + "panelIndex": "10", + "panelRefName": "panel_6", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "11", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "11", + "panelRefName": "panel_7", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "12", + "w": 8, + "x": 40, + "y": 4 + }, + "panelIndex": "12", + "panelRefName": "panel_8", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "Destination Users": "#E24D42", + "Event Count": "#64B0C8" + } + } + }, + "gridData": { + "h": 8, + "i": "13", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "13", + "panelRefName": "panel_9", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 20, + "i": "14", + "w": 16, + "x": 32, + "y": 64 + }, + "panelIndex": "14", + "panelRefName": "panel_10", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": false + } + }, + "gridData": { + "h": 24, + "i": "15", + "w": 16, + "x": 32, + "y": 84 + }, + "panelIndex": "15", + "panelRefName": "panel_11", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "16", + "w": 32, + "x": 0, + "y": 80 + }, + "panelIndex": "16", + "panelRefName": "panel_12", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "17", + "w": 32, + "x": 0, + "y": 100 + }, + "panelIndex": "17", + "panelRefName": "panel_13", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "18", + "w": 32, + "x": 0, + "y": 64 + }, + "panelIndex": "18", + "panelRefName": "panel_14", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "19", + "w": 32, + "x": 0, + "y": 92 + }, + "panelIndex": "19", + "panelRefName": "panel_15", + "version": "7.3.0" + } + ], + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat CEF] Endpoint OS Activity Dashboard", + "version": 1 + }, + "id": "9e352900-89c3-4c1b-863e-249e24d0dac9", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "59ad829b-12b8-4256-95a5-e7078eda628b", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "158d809a-89db-4ffa-88a1-eb5c4bf58d50", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "77ee0e91-010b-4897-b483-7e9a907d2afe", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "0f4028b2-3dc2-4cb6-80d8-285c847a02a1", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "2726382e-638a-4dcc-94fc-0ffdc0f92048", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "92aecea0-a632-4a55-bb56-50e4cdaca036", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "76c088c3-486e-4420-8840-5ede667edffe", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "5f187dc8-aa7e-4f91-a2d8-1186ce254d00", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "316fdc75-7215-4c6b-8e1b-70a097b34e28", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "acc915fe-b971-4795-9040-3fbfdf62abe1", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "8cd00d20-957d-4663-be4d-ea80b1609586", + "name": "panel_15", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNTksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Source Users by Event Type and Destination Users [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Users", + "field": "source.user.name", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Types", + "field": "cef.extensions.categoryBehavior" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination User Names", + "field": "destination.user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Source Users" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + }, + { + "data": { + "id": "3", + "label": "Event Types" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-2" + }, + { + "data": { + "id": "4", + "label": "Destination User Names" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-2" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "square root" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + }, + { + "id": "ValueAxis-2", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "RightAxis-1", + "position": "right", + "scale": { + "mode": "normal", + "type": "square root" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Source Users by Event Type and Destination Users [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "59ad829b-12b8-4256-95a5-e7078eda628b", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Endpoint OS Metrics Overview [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Events" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Devices", + "field": "observer.hostname" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "Event Types", + "field": "cef.extensions.categoryBehavior" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "Event Outcomes", + "field": "cef.extensions.categoryOutcome" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": false, + "addTooltip": true, + "fontSize": "30", + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "20", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "handleNoResults": true, + "type": "gauge" + }, + "title": "Endpoint OS Metrics Overview [Filebeat CEF]", + "type": "metric" + } + }, + "id": "158d809a-89db-4ffa-88a1-eb5c4bf58d50", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Behaviors by Outcome [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 9,000": "rgb(255,255,204)", + "18,000 - 27,000": "rgb(254,225,135)", + "27,000 - 36,000": "rgb(254,201,101)", + "36,000 - 45,000": "rgb(254,171,73)", + "45,000 - 54,000": "rgb(253,141,60)", + "54,000 - 63,000": "rgb(252,91,46)", + "63,000 - 72,000": "rgb(237,47,34)", + "72,000 - 81,000": "rgb(212,16,32)", + "81,000 - 90,000": "rgb(176,0,38)", + "9,000 - 18,000": "rgb(255,241,170)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Event Type", + "field": "cef.extensions.categoryBehavior", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Outcome", + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Yellow to Red", + "colorsNumber": 10, + "colorsRange": [], + "enableHover": true, + "invertColors": false, + "legendPosition": "right", + "percentageMode": false, + "setColorRange": false, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "#555", + "rotate": 0, + "show": false + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Top 10 Behaviors by Outcome [Filebeat CEF]", + "type": "heatmap" + } + }, + "id": "77ee0e91-010b-4897-b483-7e9a907d2afe", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Outcomes [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\"" + }, + "id": "74716d29-91c6-4095-bc7d-7f6700f12b1f", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": "0", + "formatter": "number", + "hide_in_legend": 0, + "id": "932c5de4-f841-4f27-99e4-60d95d3aa16c", + "label": "Event Outcomes", + "line_width": "3", + "metrics": [ + { + "id": "4c263b6d-8117-43c6-b83f-5c4145f43cfc", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_filters": [ + { + "color": "rgba(244,78,59,1)", + "filter": "cef.extensions.categoryOutcome:\"/Failure\"", + "id": "94371b84-a7aa-4824-b4d1-217ecbe725a5", + "label": "Failure" + }, + { + "color": "rgba(104,188,0,1)", + "filter": "cef.extensions.categoryOutcome:\"/Success\"", + "id": "31564794-9278-4f2e-bb20-557f5cfbea79", + "label": "Success" + }, + { + "color": "rgba(251,158,0,1)", + "filter": "cef.extensions.categoryOutcome:\"/Attempt\"", + "id": "10c0f919-0853-41b5-94b4-2e39932e7aa0", + "label": "Attempt" + } + ], + "split_mode": "filters", + "stacked": "none", + "terms_field": "cef.extensions.categoryOutcome", + "terms_size": "3" + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(104,182,204,1)", + "fill": 0.5, + "formatter": "number", + "id": "c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74", + "label": "Event Count", + "line_width": 1, + "metrics": [ + { + "id": "6d8513ca-cc72-4b27-91b6-6b689558cdcb", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Outcomes [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "0f4028b2-3dc2-4cb6-80d8-285c847a02a1", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Behaviors by Outcome [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Event Behavior", + "field": "cef.extensions.categoryBehavior", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Outcome", + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 3 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right" + }, + "title": "Top 20 Behaviors by Outcome [Filebeat CEF]", + "type": "pie" + } + }, + "id": "e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 15 Event Types by Events [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Event Types", + "field": "cef.extensions.categoryBehavior", + "order": "desc", + "orderBy": "1", + "size": 15 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Source Users", + "field": "source.user.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination Users", + "field": "destination.user.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Source Hosts", + "field": "source.domain" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Destination Hosts", + "field": "destination.domain" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + } + ], + "listeners": {}, + "params": { + "perPage": 15, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 15 Event Types by Events [Filebeat CEF]", + "type": "table" + } + }, + "id": "2726382e-638a-4dcc-94fc-0ffdc0f92048", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Vendors by Product [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "OS Vendor", + "field": "cef.device.vendor", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "OS Product", + "field": "cef.device.product", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right" + }, + "title": "Top 5 Vendors by Product [Filebeat CEF]", + "type": "pie" + } + }, + "id": "92aecea0-a632-4a55-bb56-50e4cdaca036", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "markdown": "[Network Overview](#/dashboard/dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/56428e01-0c47-4770-8ba4-9345a029ea41)" + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "type": "markdown" + } + }, + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Endpoint - OS Average EPS [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "bar_color_rules": [ + { + "id": "ce9549a0-3af0-4070-b169-4b6d145d4c39" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\"" + }, + "gauge_color_rules": [ + { + "id": "03a2fd72-fc9c-4582-9133-20af36217180" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "94161c6c-4f48-4beb-9d78-f79f29c02a34", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "b4373ffd-9660-4206-afd6-d4867ac7dbdf", + "label": "Event Throughput", + "line_width": 1, + "metrics": [ + { + "id": "b1a48389-d799-4eba-8b98-7ee8ef0bb440", + "type": "count" + }, + { + "field": "b1a48389-d799-4eba-8b98-7ee8ef0bb440", + "id": "89f8286e-4aec-4cb4-83ad-b139692edf3d", + "type": "cumulative_sum" + }, + { + "field": "89f8286e-4aec-4cb4-83ad-b139692edf3d", + "id": "1df39e5f-3e98-4ed7-ab08-47f3ca2ee915", + "type": "derivative", + "unit": "1s" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "1df39e5f-3e98-4ed7-ab08-47f3ca2ee915", + "gamma": 0.3, + "id": "f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "offset_time": "1m", + "point_size": 1, + "seperate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} / s" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "gauge" + }, + "title": "Endpoint - OS Average EPS [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "76c088c3-486e-4420-8840-5ede667edffe", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Events by Source and Destination Users [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Timestamp", + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1 + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Source Users", + "field": "source.user.name" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination Users", + "field": "destination.user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Timestamp" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Event Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + }, + { + "data": { + "id": "3", + "label": "Source Users" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 3, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-2" + }, + { + "data": { + "id": "4", + "label": "Destination Users" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 3, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-2" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Event Count" + }, + "type": "value" + }, + { + "id": "ValueAxis-2", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "RightAxis-1", + "position": "right", + "scale": { + "mode": "normal", + "type": "square root" + }, + "show": true, + "style": {}, + "title": { + "text": "" + }, + "type": "value" + } + ] + }, + "title": "Events by Source and Destination Users [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "5f187dc8-aa7e-4f91-a2d8-1186ce254d00", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNjksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Destinations [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Host", + "field": "source.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Destination Host", + "field": "destination.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom" + }, + "title": "Top 10 Sources by Destinations [Filebeat CEF]", + "type": "pie" + } + }, + "id": "316fdc75-7215-4c6b-8e1b-70a097b34e28", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users by Destination Users [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Users", + "field": "source.user.name", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Destination Users", + "field": "destination.user.name", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom" + }, + "title": "Top 10 Source Users by Destination Users [Filebeat CEF]", + "type": "pie" + } + }, + "id": "6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Hosts", + "field": "destination.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 60, + "minFontSize": 10, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Destinations [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Users [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Users", + "field": "destination.user.name", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 60, + "minFontSize": 10, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Destination Users [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "acc915fe-b971-4795-9040-3fbfdf62abe1", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Hosts", + "field": "source.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 60, + "minFontSize": 10, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Sources [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Users", + "field": "source.user.name", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 60, + "minFontSize": 10, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Source Users [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "8cd00d20-957d-4663-be4d-ea80b1609586", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzUsMV0=" + }, + { + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "message", + "cef.device.event_class_id", + "cef.extensions.deviceEventCategory", + "source.user.name", + "destination.user.name", + "destination.domain", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "cef.extensions.sourceNtDomain", + "cef.extensions.destinationNtDomain" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "query_string": { + "analyze_wildcard": true, + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\"" + } + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint - OS Events [Filebeat CEF]", + "version": 1 + }, + "id": "e6cf2383-71f4-4db1-a791-1a7d4f110194", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-10-25T16:30:02.301Z", + "version": "WzEyNzYsMV0=" + } + ], + "version": "7.4.1" +} diff --git a/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-overview.json b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-overview.json new file mode 100644 index 000000000000..013f1ca15892 --- /dev/null +++ b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-endpoint-overview.json @@ -0,0 +1,1765 @@ +{ + "objects": [ + { + "attributes": { + "description": "Summary of endpoint event data.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "1", + "w": 8, + "x": 40, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "2", + "w": 24, + "x": 24, + "y": 32 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "3", + "w": 24, + "x": 0, + "y": 32 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "5", + "panelRefName": "panel_3", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "6", + "w": 24, + "x": 24, + "y": 44 + }, + "panelIndex": "6", + "panelRefName": "panel_4", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "gridData": { + "h": 8, + "i": "7", + "w": 40, + "x": 0, + "y": 4 + }, + "panelIndex": "7", + "panelRefName": "panel_5", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "8", + "w": 24, + "x": 0, + "y": 44 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "columns": [ + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryTechnique", + "cef.extensions.categoryOutcome", + "cef.extensions.categorySignificance", + "cef.extensions.categoryObject", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryDeviceType" + ], + "sort": [ + "@timestamp", + "desc" + ] + }, + "gridData": { + "h": 20, + "i": "9", + "w": 48, + "x": 0, + "y": 76 + }, + "panelIndex": "9", + "panelRefName": "panel_7", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "10", + "w": 24, + "x": 24, + "y": 56 + }, + "panelIndex": "10", + "panelRefName": "panel_8", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "Anti-Virus": "#EAB839", + "Database": "#629E51", + "Host-based IDS/IPS": "#E0752D", + "Operating System": "#BF1B00", + "Security Mangement": "#64B0C8" + } + } + }, + "gridData": { + "h": 12, + "i": "11", + "w": 24, + "x": 0, + "y": 20 + }, + "panelIndex": "11", + "panelRefName": "panel_9", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 20, + "i": "12", + "w": 24, + "x": 0, + "y": 56 + }, + "panelIndex": "12", + "panelRefName": "panel_10", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Informational": "#7EB26D", + "/Informational/Warning": "#EF843C", + "/Success": "#629E51", + "Anti-Virus": "#EAB839", + "Database": "#629E51", + "Host-based IDS/IPS": "#E0752D", + "Log Consolidator": "#E0F9D7", + "Operating System": "#BF1B00", + "Recon": "#BF1B00", + "Security Mangement": "#64B0C8" + } + } + }, + "gridData": { + "h": 12, + "i": "14", + "w": 24, + "x": 24, + "y": 20 + }, + "panelIndex": "14", + "panelRefName": "panel_11", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "15", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "15", + "panelRefName": "panel_12", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 12.897489183755892, + 0 + ], + "mapZoom": 1 + }, + "gridData": { + "h": 12, + "i": "17", + "w": 24, + "x": 24, + "y": 64 + }, + "panelIndex": "17", + "panelRefName": "panel_13", + "version": "7.3.0" + } + ], + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat CEF] Endpoint Overview Dashboard", + "version": 1 + }, + "id": "c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "9457ee67-895f-4b78-a543-268f9687a745", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "89998099-9a39-44cf-beba-5b97f0524cf9", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "718b074e-3dd1-4d03-ba11-7f869cdcd703", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "c5120e27-1f8c-41e3-83ee-78ec4d470c2f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "7454c034-c5f3-48fe-8fce-ef4385c80350", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "118af639-1f37-4541-a960-5a3ff0613e0e", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "panel_7", + "type": "search" + }, + { + "id": "74d2c072-6dfd-4249-8e63-dc7b0cf3c960", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "f57734dd-0f32-42b4-94dd-5d597f6735e1", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "295986d4-d2ea-4541-8e82-7dc95c0cd830", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "5bf6e4dc-4273-4e1e-a803-04347eebeb53", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "aaa80503-6d96-4a33-806f-b8a10aefe696", + "name": "panel_13", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyNzcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Endpoint Average EPS [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "bar_color_rules": [ + { + "id": "85a1c642-9781-430d-b84b-b28cb2a42fb4" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Host\" OR cef.extensions.categoryDeviceGroup:\"/Application\"" + }, + "gauge_color_rules": [ + { + "id": "03a2fd72-fc9c-4582-9133-20af36217180" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "b7a85957-123e-4e25-9e8e-ff7992c9b2b9", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "b4373ffd-9660-4206-afd6-d4867ac7dbdf", + "label": "Event Throughput", + "line_width": 1, + "metrics": [ + { + "id": "b1a48389-d799-4eba-8b98-7ee8ef0bb440", + "type": "count" + }, + { + "field": "b1a48389-d799-4eba-8b98-7ee8ef0bb440", + "id": "7c5c44cc-17bd-4206-a100-b8996cd3d11a", + "type": "cumulative_sum" + }, + { + "field": "7c5c44cc-17bd-4206-a100-b8996cd3d11a", + "id": "215c5225-5368-40e6-8fcd-2b0026babba0", + "type": "derivative", + "unit": "1s" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "215c5225-5368-40e6-8fcd-2b0026babba0", + "gamma": 0.3, + "id": "f4dfe09a-e397-4287-ab99-3206516cded3", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} / s" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "gauge" + }, + "title": "Endpoint Average EPS [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "9457ee67-895f-4b78-a543-268f9687a745", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyNzgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcomes [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "destination.port: Descending" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "defaultYExtents": true, + "mode": "normal", + "setYExtents": false, + "type": "square root" + }, + "show": true, + "style": {}, + "title": {}, + "type": "value" + } + ] + }, + "title": "Destination Ports by Outcomes [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyNzksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Outcomes Breakdown [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Attempt": "#3F2B5B", + "/Failure": "#BF1B00" + }, + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Time", + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1 + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Time" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "value" + } + ] + }, + "title": "Outcomes Breakdown [Filebeat CEF]", + "type": "area" + } + }, + "id": "89998099-9a39-44cf-beba-5b97f0524cf9", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Device [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Host\" OR cef.extensions.categoryDeviceGroup:\"/Application\"" + }, + "id": "fd1ffeb6-678e-4163-9421-6a164fd59048", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(254,37,37,1)", + "fill": "0", + "formatter": "number", + "id": "6a10f77d-4e26-4b27-9c19-f1b0029b075b", + "label": "Events", + "line_width": "3", + "metrics": [ + { + "id": "845b9164-65f4-4599-b9cc-8d91b6ba8d83", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "845b9164-65f4-4599-b9cc-8d91b6ba8d83", + "gamma": 0.3, + "id": "59675e84-1a8e-41df-9f63-875109bd795a", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_filters": [ + { + "color": "rgba(244,78,59,1)", + "filter": "cef.extensions.categoryDeviceGroup:\"/Operating System\" ", + "id": "d9a580c3-eb83-4d20-a391-0934d7df8837", + "label": "Operating System" + }, + { + "color": "rgba(254,146,0,1)", + "filter": " cef.extensions.categoryDeviceGroup:\"/IDS/Host\"", + "id": "9ce8be14-6191-4c9a-a679-e3992fdab8d2", + "label": "Host IDS" + }, + { + "color": "rgba(252,220,0,1)", + "filter": "cef.extensions.categoryDeviceGroup:\"/Application\"", + "id": "262ecd54-a042-4bfb-b489-d7db8431c36e", + "label": "Application" + } + ], + "split_mode": "filters", + "stacked": "none" + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "92e98952-8e25-472f-abb5-05a7d9b830ea", + "label": "Moving Average by Device HostNames", + "line_width": 1, + "metrics": [ + { + "id": "3df841a9-5997-4a1a-ad8f-69620d23e65b", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "3df841a9-5997-4a1a-ad8f-69620d23e65b", + "gamma": 0.3, + "id": "9765367a-0fc2-45ba-88a8-e87991210edd", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_mode": "terms", + "stacked": "none", + "terms_field": "observer.hostname" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Device [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "718b074e-3dd1-4d03-ba11-7f869cdcd703", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Port [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "destination.port", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Destination Port [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "c5120e27-1f8c-41e3-83ee-78ec4d470c2f", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Endpoint Metrics Overview [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Devices", + "field": "observer.hostname" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Source", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Port", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": false, + "addTooltip": true, + "fontSize": "30", + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "12", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "handleNoResults": true, + "type": "gauge" + }, + "title": "Endpoint Metrics Overview [Filebeat CEF]", + "type": "metric" + } + }, + "id": "7454c034-c5f3-48fe-8fce-ef4385c80350", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Outcomes by Device Type [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Failure": "#BF1B00" + }, + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "cef.extensions.categoryDeviceType: Descending" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "value" + } + ] + }, + "title": "Outcomes by Device Type [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "118af639-1f37-4541-a960-5a3ff0613e0e", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODQsMV0=" + }, + { + "attributes": { + "columns": [ + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryTechnique", + "cef.extensions.categoryOutcome", + "cef.extensions.categorySignificance", + "cef.extensions.categoryObject", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "query_string": { + "analyze_wildcard": true, + "query": "cef.extensions.categoryDeviceGroup:\"/Operating System\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Host\" OR cef.extensions.categoryDeviceGroup:\"/Application\"" + } + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint Event Explorer [Filebeat CEF]", + "version": 1 + }, + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Source Countries [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.geo.country_iso_code", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 5 Source Countries [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "74d2c072-6dfd-4249-8e63-dc7b0cf3c960", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Device Types by Vendor [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "exclude": "Network-based IDS/IPS", + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "exclude": "", + "field": "cef.device.vendor", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right" + }, + "title": "Device Types by Vendor [Filebeat CEF]", + "type": "pie" + } + }, + "id": "f57734dd-0f32-42b4-94dd-5d597f6735e1", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Event [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Events" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.geo.country_iso_code", + "order": "desc", + "orderBy": "1", + "size": 35 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Source Addresses", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Destination Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 10 Source Countries by Event [Filebeat CEF]", + "type": "table" + } + }, + "id": "295986d4-d2ea-4541-8e82-7dc95c0cd830", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Outcomes by User Names [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Informational": "#7EB26D", + "/Informational/Warning": "#EF843C", + "/Success": "#64B0C8", + "Anti-Virus": "#B7DBAB", + "Host-based IDS/IPS": "#629E51", + "Log Consolidator": "#E0F9D7", + "Operating System": "#3F6833", + "Recon": "#BF1B00", + "Security Mangement": "#CFFAFF" + }, + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "exclude": "Network-based IDS/IPS", + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "field": "destination.user.name", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right" + }, + "title": "Outcomes by User Names [Filebeat CEF]", + "type": "pie" + } + }, + "id": "5bf6e4dc-4273-4e1e-a803-04347eebeb53", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyODksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "markdown": "[Network Overview](#/dashboard/dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/56428e01-0c47-4770-8ba4-9345a029ea41)" + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "type": "markdown" + } + }, + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destination Locations by Event [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "destination.geo.location", + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 0, + "heatMinOpacity": 0.1, + "heatNormalizeData": true, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Shaded Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Top Destination Locations by Event [Filebeat CEF]", + "type": "tile_map" + } + }, + "id": "aaa80503-6d96-4a33-806f-b8a10aefe696", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:03.318Z", + "version": "WzEyOTEsMV0=" + } + ], + "version": "7.4.1" +} diff --git a/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-microsoft-dns.json b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-microsoft-dns.json new file mode 100644 index 000000000000..68bbc36f703d --- /dev/null +++ b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-microsoft-dns.json @@ -0,0 +1,1796 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of Microsoft DNS activity.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "1", + "w": 8, + "x": 40, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "gridData": { + "h": 8, + "i": "3", + "w": 40, + "x": 0, + "y": 4 + }, + "panelIndex": "3", + "panelRefName": "panel_1", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 18k": "rgb(247,251,255)", + "108k - 126k": "rgb(74,152,201)", + "126k - 144k": "rgb(46,126,188)", + "144k - 162k": "rgb(23,100,171)", + "162k - 180k": "rgb(8,74,145)", + "18k - 36k": "rgb(227,238,249)", + "36k - 54k": "rgb(208,225,242)", + "54k - 72k": "rgb(182,212,233)", + "72k - 90k": "rgb(148,196,223)", + "90k - 108k": "rgb(107,174,214)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 16, + "i": "5", + "w": 24, + "x": 0, + "y": 32 + }, + "panelIndex": "5", + "panelRefName": "panel_2", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 48, + "x": 0, + "y": 48 + }, + "panelIndex": "6", + "panelRefName": "panel_3", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "7", + "w": 24, + "x": 24, + "y": 32 + }, + "panelIndex": "7", + "panelRefName": "panel_4", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "9", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "9", + "panelRefName": "panel_5", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 16, + "i": "11", + "w": 24, + "x": 24, + "y": 56 + }, + "panelIndex": "11", + "panelRefName": "panel_6", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "12", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "12", + "panelRefName": "panel_7", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 16, + "i": "13", + "w": 24, + "x": 0, + "y": 56 + }, + "panelIndex": "13", + "panelRefName": "panel_8", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "14", + "w": 24, + "x": 0, + "y": 20 + }, + "panelIndex": "14", + "panelRefName": "panel_9", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "15", + "w": 24, + "x": 24, + "y": 20 + }, + "panelIndex": "15", + "panelRefName": "panel_10", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + 12.211180191503997, + 0 + ], + "mapZoom": 1 + }, + "gridData": { + "h": 12, + "i": "16", + "w": 24, + "x": 24, + "y": 72 + }, + "panelIndex": "16", + "panelRefName": "panel_11", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + -0.17578097424708533, + 0 + ], + "mapZoom": 1 + }, + "gridData": { + "h": 12, + "i": "17", + "w": 24, + "x": 0, + "y": 72 + }, + "panelIndex": "17", + "panelRefName": "panel_12", + "version": "7.3.0" + } + ], + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat CEF] Microsoft DNS Overview", + "version": 1 + }, + "id": "56428e01-0c47-4770-8ba4-9345a029ea41", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "7e2b0659-0760-4182-8b29-3ee69f26bc6f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "249e2737-b41f-4115-b303-88bc9d279655", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "fcf798a8-db8f-4492-827b-8fa7581108a9", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "1b9cc5b7-7747-49de-96b1-a4bc7f675716", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "26a65f68-d7a6-4b47-befc-c5a6819bb91b", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "1b521f56-8089-433f-88f7-56aba867e07d", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "581a296e-e34a-48f1-93e4-fc4bdadfc68d", + "name": "panel_12", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "DNS - Event Throughput [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color_rules": [ + { + "id": "3eadd451-5033-423f-88e3-814cc5e50b50" + } + ], + "bar_color_rules": [ + { + "id": "fa374805-d1ca-4261-b723-9b482a7dd43a" + } + ], + "filter": { + "language": "lucene", + "query": "cef.device.product:\"DNS Trace Log\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "4d957654-cc7e-4ef3-8b29-61c0aeadd51a", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "", + "gauge_style": "half", + "gauge_width": 10, + "id": "73968651-c41e-473e-a153-a025f49d1a1b", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "90d7621e-3265-4fe8-8882-8df9605ea659", + "label": "Event Throughput", + "line_width": 1, + "metrics": [ + { + "id": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "type": "count" + }, + { + "field": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "id": "cf3e6b1c-4136-4868-913e-0e82d88a8c9c", + "type": "cumulative_sum" + }, + { + "field": "cf3e6b1c-4136-4868-913e-0e82d88a8c9c", + "id": "0e407985-9ae4-4c1f-bb0e-16cd9bef7611", + "type": "derivative", + "unit": "1s" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "0e407985-9ae4-4c1f-bb0e-16cd9bef7611", + "gamma": 0.3, + "id": "48026f85-83c8-40e6-aff4-71f3bd6c77c9", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} / s" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "gauge" + }, + "title": "DNS - Event Throughput [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "7e2b0659-0760-4182-8b29-3ee69f26bc6f", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "DNS Metrics Overview [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Threads", + "field": "cef.extensions.deviceCustomString1" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "OpCodes", + "field": "cef.extensions.deviceCustomString2" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Activity Types", + "field": "cef.device.event_class_id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": false, + "addTooltip": true, + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "32", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "type": "gauge" + }, + "title": "DNS Metrics Overview [Filebeat CEF]", + "type": "metric" + } + }, + "id": "249e2737-b41f-4115-b303-88bc9d279655", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destinations by Traffic Size [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 18k": "rgb(247,251,255)", + "108k - 126k": "rgb(74,152,201)", + "126k - 144k": "rgb(46,126,188)", + "144k - 162k": "rgb(23,100,171)", + "162k - 180k": "rgb(8,74,145)", + "18k - 36k": "rgb(227,238,249)", + "36k - 54k": "rgb(208,225,242)", + "54k - 72k": "rgb(182,212,233)", + "72k - 90k": "rgb(148,196,223)", + "90k - 108k": "rgb(107,174,214)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Bytes", + "field": "source.bytes" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "lucene", + "query": "deviceDirection:\"0\"" + }, + "label": "Inbound" + }, + { + "input": { + "language": "lucene", + "query": "deviceDirection:\"1\"" + }, + "label": "Outbound" + } + ] + }, + "schema": "segment", + "type": "filters" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "destination.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Blues", + "colorsNumber": 10, + "colorsRange": [ + { + "from": 0, + "to": null + } + ], + "enableHover": true, + "invertColors": false, + "legendPosition": "top", + "percentageMode": false, + "setColorRange": false, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "#555", + "rotate": 0, + "show": false + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Top Destinations by Traffic Size [Filebeat CEF]", + "type": "heatmap" + } + }, + "id": "566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Event Types [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "cef.device.event_class_id", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 50, + "minFontSize": 12, + "orientation": "single", + "scale": "square root" + }, + "title": "Top 10 Event Types [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Event Types by Size [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "Count": "#64B0C8", + "Total (Bytes)": "#E24D42" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Event Type", + "field": "cef.device.event_class_id", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Total (Bytes)", + "field": "source.bytes" + }, + "schema": "metric", + "type": "sum" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "rotate": 75, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Event Type" + }, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + }, + "valueAxis": null + }, + "legendPosition": "right", + "orderBucketsBySum": false, + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "normal", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + }, + { + "data": { + "id": "3", + "label": "Total (Bytes)" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 3, + "mode": "normal", + "show": true, + "showCircles": false, + "type": "line", + "valueAxis": "ValueAxis-2" + } + ], + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "square root" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + }, + { + "id": "ValueAxis-2", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "RightAxis-1", + "position": "right", + "scale": { + "mode": "normal", + "type": "square root" + }, + "show": true, + "style": {}, + "title": { + "text": "Total (Bytes)" + }, + "type": "value" + } + ] + }, + "title": "Event Types by Size [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "fcf798a8-db8f-4492-827b-8fa7581108a9", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events Types by Severity [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "filter": { + "language": "lucene", + "query": "cef.device.product:\"DNS Trace Log\"" + }, + "id": "db54ebce-9dd2-4a1e-b476-b3ddb9a9024e", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": "0", + "formatter": "number", + "id": "81da76ca-1112-4d91-82f4-c66cd3156a84", + "label": "Cumulative Bytes", + "line_width": "3", + "metrics": [ + { + "field": "source.bytes", + "id": "521d560c-321a-4410-9eb3-2b2bf3f4efee", + "type": "count" + } + ], + "point_size": "0", + "seperate_axis": 1, + "split_filters": [ + { + "color": "rgba(244,78,59,1)", + "filter": "(event.severity:\"2\" OR event.severity:\"3\" OR event.severity:\"5\" OR event.severity:\"16\" OR cef.extension.deviceCustomString4:\"SERVFAIL\" OR cef.extension.deviceCustomString4:\"NXDOMAIN\" OR cef.extension.deviceCustomString4:\"REFUSED\" OR cef.extension.deviceCustomString4:\"BADVERS\" OR cef.extension.deviceCustomString4:\"BADSIG\")", + "id": "3f31a7e4-acf3-4f2d-8b7d-e30522325b2a", + "label": "HIGH" + }, + { + "color": "rgba(254,146,0,1)", + "filter": "(event.severity:\"1\" OR event.severity:\"4\" OR event.severity:\"6\" OR event.severity:\"7\" OR event.severity:\"8\" OR event.severity:\"9\" OR event.severity:\"10\" OR event.severity:\"17\" OR event.severity:\"18\" OR event.severity:\"19\" OR event.severity:\"20\" OR event.severity:\"21\" OR event.severity:\"22\" OR cef.extension.deviceCustomString4:\"Error\" OR cef.extension.deviceCustomString4:\"ERROR\" OR cef.extension.deviceCustomString4:\"Warning\" OR cef.extension.deviceCustomString4:\"WARNING\" OR cef.extension.deviceCustomString4:\"FORMERR\" OR cef.extension.deviceCustomString4:\"NOTIMP\" OR cef.extension.deviceCustomString4:\"YXDOMAIN\" OR cef.extension.deviceCustomString4:\"YXRRSET\" OR cef.extension.deviceCustomString4:\"NXRRSET\" OR cef.extension.deviceCustomString4:\"NOTAUTH\" OR cef.extension.deviceCustomString4:\"NOTZONE\" OR cef.extension.deviceCustomString4:\"BADKEY\" OR cef.extension.deviceCustomString4:\"BADTIME\" OR cef.extension.deviceCustomString4:\"BADMODE\" OR cef.extension.deviceCustomString4:\"BADNAME\" OR cef.extension.deviceCustomString4:\"BADALG\" OR cef.extension.deviceCustomString4:\"BADTRUNC\")", + "id": "7949d31b-8aae-433a-b7cf-6939a8728cc9", + "label": "MEDIUM" + }, + { + "color": "rgba(252,220,0,1)", + "filter": "(NOT (event.severity:\"2\" OR event.severity:\"3\" OR event.severity:\"5\" OR event.severity:\"16\" OR cef.extension.deviceCustomString4:\"SERVFAIL\" OR cef.extension.deviceCustomString4:\"NXDOMAIN\" OR cef.extension.deviceCustomString4:\"REFUSED\" OR cef.extension.deviceCustomString4:\"BADVERS\" OR cef.extension.deviceCustomString4:\"BADSIG\" OR event.severity:\"1\" OR event.severity:\"4\" OR event.severity:\"6\" OR event.severity:\"7\" OR event.severity:\"8\" OR event.severity:\"9\" OR event.severity:\"10\" OR event.severity:\"17\" OR event.severity:\"18\" OR event.severity:\"19\" OR event.severity:\"20\" OR event.severity:\"21\" OR event.severity:\"22\" OR cef.extension.deviceCustomString4:\"Error\" OR cef.extension.deviceCustomString4:\"ERROR\" OR cef.extension.deviceCustomString4:\"Warning\" OR cef.extension.deviceCustomString4:\"WARNING\" OR cef.extension.deviceCustomString4:\"FORMERR\" OR cef.extension.deviceCustomString4:\"NOTIMP\" OR cef.extension.deviceCustomString4:\"YXDOMAIN\" OR cef.extension.deviceCustomString4:\"YXRRSET\" OR cef.extension.deviceCustomString4:\"NXRRSET\" OR cef.extension.deviceCustomString4:\"NOTAUTH\" OR cef.extension.deviceCustomString4:\"NOTZONE\" OR cef.extension.deviceCustomString4:\"BADKEY\" OR cef.extension.deviceCustomString4:\"BADTIME\" OR cef.extension.deviceCustomString4:\"BADMODE\" OR cef.extension.deviceCustomString4:\"BADNAME\" OR cef.extension.deviceCustomString4:\"BADALG\" OR cef.extension.deviceCustomString4:\"BADTRUNC\"))", + "id": "d2627211-5f9e-4c65-8a47-1cd6f085939d", + "label": "LOW" + } + ], + "split_mode": "filters", + "stacked": "none" + }, + { + "axis_position": "right", + "chart_type": "bar", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "a5fda184-fdd6-4221-ab59-492eab162f0a", + "label": "Count by Event Type", + "line_width": 1, + "metrics": [ + { + "id": "e147ba1c-b13a-496f-9841-b99ddee81c5a", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "cef.device.event_class_id", + "terms_size": "20" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events Types by Severity [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations by Size [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destinations", + "field": "destination.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Bytes", + "field": "source.bytes" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Sources", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Count" + }, + "schema": "metric", + "type": "count" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 10 Destinations by Size [Filebeat CEF]", + "type": "table" + } + }, + "id": "1b9cc5b7-7747-49de-96b1-a4bc7f675716", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEyOTksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "markdown": "[Network Overview](#/dashboard/dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/56428e01-0c47-4770-8ba4-9345a029ea41)" + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "type": "markdown" + } + }, + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Size [Filebeat CEF]", + "uiStateJSON": { + "P-11": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "P-13": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "P-2": { + "mapCenter": [ + -0.17578097424708533, + 0 + ], + "mapZoom": 0 + }, + "P-3": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "P-4": { + "mapCenter": [ + -0.17578097424708533, + 0 + ], + "mapZoom": 0 + }, + "P-5": { + "vis": { + "defaultColors": { + "0 - 18,000": "rgb(247,251,255)", + "108,000 - 126,000": "rgb(74,152,201)", + "126,000 - 144,000": "rgb(46,126,188)", + "144,000 - 162,000": "rgb(23,100,171)", + "162,000 - 180,000": "rgb(8,74,145)", + "18,000 - 36,000": "rgb(227,238,249)", + "36,000 - 54,000": "rgb(208,225,242)", + "54,000 - 72,000": "rgb(182,212,233)", + "72,000 - 90,000": "rgb(148,196,223)", + "90,000 - 108,000": "rgb(107,174,214)" + }, + "legendOpen": false + } + }, + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Sources", + "field": "source.domain", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Bytes", + "field": "source.bytes" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destinations", + "field": "destination.domain" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Count" + }, + "schema": "metric", + "type": "count" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 10 Sources by Size [Filebeat CEF]", + "type": "table" + } + }, + "id": "26a65f68-d7a6-4b47-befc-c5a6819bb91b", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Direction [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "filter": { + "language": "lucene", + "query": "cef.device.product:\"DNS Trace Log\"" + }, + "id": "be556a57-cd1c-496c-8714-0bd210947c85", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "bar", + "color": "#68BC00", + "fill": "0.2", + "filter": { + "language": "lucene", + "query": "device" + }, + "formatter": "number", + "id": "9aae7344-9de9-4378-b21d-296cb964f93b", + "label": "Inbound Requests", + "line_width": 1, + "metrics": [ + { + "id": "1cd0b964-45cf-408e-a7e4-e26955f8a3b0", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_filters": [ + { + "color": "rgba(0,156,224,1)", + "filter": { + "language": "lucene", + "query": "deviceDirection:\"0\"" + }, + "id": "f860f6e0-fbd4-4949-8046-6300322dfe84", + "label": "Inbound Requests" + } + ], + "split_mode": "filters", + "stacked": "none" + }, + { + "axis_position": "right", + "chart_type": "bar", + "color": "#68BC00", + "fill": "0.2", + "formatter": "number", + "id": "ed1abe18-e01b-4202-9db4-06fda10692e0", + "label": "Outbound Requests", + "line_width": 1, + "metrics": [ + { + "id": "cfbcfc79-394b-4ec0-a2c2-7a47177d6469", + "type": "count" + }, + { + "id": "6bc37118-ddac-41ec-85b3-9db7e1b3636b", + "script": "params.outbound \u003e 0 ? params.outbound * -1 : 0", + "type": "calculation", + "variables": [ + { + "field": "cfbcfc79-394b-4ec0-a2c2-7a47177d6469", + "id": "f73f4f22-03d5-446a-b031-04eee531e3cc", + "name": "outbound" + } + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_filters": [ + { + "color": "rgba(211,49,21,1)", + "filter": "deviceDirection:\"1\"", + "id": "a9c50e1b-8f11-4bc2-9077-bb8870ed0b62", + "label": "Outbound Requests" + } + ], + "split_mode": "filters", + "stacked": "none" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Direction [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Size [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "filter": { + "language": "lucene", + "query": "cef.device.product:\"DNS Trace Log\"" + }, + "id": "6e634117-6b30-411c-b74c-75510befe42f", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "filter": { + "language": "lucene", + "query": "deviceDirection:\"0\"" + }, + "formatter": "bytes", + "id": "28b1fb5b-0f16-4519-b901-4dd2dcc39915", + "label": "Inbound Bytes", + "line_width": "2", + "metrics": [ + { + "field": "source.bytes", + "id": "f613f33f-6459-4e46-a3a0-c36c48c46b2e", + "type": "sum" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "filter", + "stacked": "none" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": 0.5, + "filter": { + "language": "lucene", + "query": "deviceDirection:\"1\"" + }, + "formatter": "bytes", + "id": "5a5c2529-4990-4006-b039-c94069ff6b7e", + "label": "Outbound Bytes", + "line_width": "2", + "metrics": [ + { + "field": "source.bytes", + "id": "b69501e7-56d5-4c38-81d1-34d778c81e11", + "type": "sum" + }, + { + "id": "0aaab374-5845-44ab-94f5-ac4fab25c287", + "script": "params.outbound_bytes \u003e= 0 ? params.outbound_bytes * -1 : 0", + "type": "calculation", + "variables": [ + { + "field": "b69501e7-56d5-4c38-81d1-34d778c81e11", + "id": "23b8c41c-0e98-4ace-8bca-3593e46cd955", + "name": "outbound_bytes" + } + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "filter", + "stacked": "none" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Size [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destinations by Events [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "destination.geo.location", + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 0, + "heatMinOpacity": 0.1, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Shaded Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Top Destinations by Events [Filebeat CEF]", + "type": "tile_map" + } + }, + "id": "1b521f56-8089-433f-88f7-56aba867e07d", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Sources by Events [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location", + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 0, + "heatMinOpacity": 0.1, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Shaded Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Top Sources by Events [Filebeat CEF]", + "type": "tile_map" + } + }, + "id": "581a296e-e34a-48f1-93e4-fc4bdadfc68d", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDUsMV0=" + }, + { + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "destination.ip", + "destination.port", + "destination.domain", + "cef.device.event_class_id", + "cef.extensions.deviceCustomString1Label", + "cef.extensions.deviceCustomString1", + "cef.extensions.deviceCustomString2Label", + "cef.extensions.deviceCustomString2", + "cef.extension.cef.extension.deviceCustomString3Label", + "cef.extension.deviceCustomString3", + "cef.extension.cef.extension.deviceCustomString4Label", + "cef.extension.deviceCustomString4", + "cef.extensions.deviceEventCategory", + "event.severity", + "source.ip", + "source.port", + "network.transport", + "source.bytes", + "url.original" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "query_string": { + "analyze_wildcard": true, + "query": "cef.device.product:\"DNS Trace Log\"" + } + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Microsoft DNS Events [Filebeat CEF]", + "version": 1 + }, + "id": "f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-10-25T16:30:04.348Z", + "version": "WzEzMDYsMV0=" + } + ], + "version": "7.4.1" +} diff --git a/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-overview.json b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-overview.json new file mode 100644 index 000000000000..46d562142bbc --- /dev/null +++ b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-overview.json @@ -0,0 +1,2354 @@ +{ + "objects": [ + { + "attributes": { + "description": "Network data overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "1", + "w": 48, + "x": 0, + "y": 44 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "2", + "w": 48, + "x": 0, + "y": 68 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "5", + "panelRefName": "panel_2", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "6", + "w": 48, + "x": 0, + "y": 60 + }, + "panelIndex": "6", + "panelRefName": "panel_3", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 8, + "i": "7", + "w": 40, + "x": 0, + "y": 4 + }, + "panelIndex": "7", + "panelRefName": "panel_4", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "9", + "w": 16, + "x": 0, + "y": 20 + }, + "panelIndex": "9", + "panelRefName": "panel_5", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "11", + "w": 16, + "x": 16, + "y": 20 + }, + "panelIndex": "11", + "panelRefName": "panel_6", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 12, + "i": "13", + "w": 32, + "x": 0, + "y": 32 + }, + "panelIndex": "13", + "panelRefName": "panel_7", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0% - 17%": "rgb(255,255,204)", + "17% - 34%": "rgb(255,230,146)", + "34% - 50%": "rgb(254,191,90)", + "50% - 67%": "rgb(253,141,60)", + "67% - 84%": "rgb(244,61,37)", + "84% - 100%": "rgb(202,8,35)" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 12, + "i": "15", + "w": 16, + "x": 32, + "y": 32 + }, + "panelIndex": "15", + "panelRefName": "panel_8", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "Anti-Virus": "#EF843C", + "Content Security": "#7EB26D", + "Firewall": "#E24D42", + "Integrated Security": "#962D82", + "Network-based IDS/IPS": "#1F78C1", + "Operating System": "#1F78C1", + "VPN": "#EAB839" + } + } + }, + "gridData": { + "h": 12, + "i": "16", + "w": 16, + "x": 32, + "y": 20 + }, + "panelIndex": "16", + "panelRefName": "panel_9", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "17", + "w": 48, + "x": 0, + "y": 52 + }, + "panelIndex": "17", + "panelRefName": "panel_10", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 16, + "i": "18", + "w": 24, + "x": 0, + "y": 76 + }, + "panelIndex": "18", + "panelRefName": "panel_11", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "19", + "w": 24, + "x": 24, + "y": 76 + }, + "panelIndex": "19", + "panelRefName": "panel_12", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "20", + "w": 8, + "x": 40, + "y": 4 + }, + "panelIndex": "20", + "panelRefName": "panel_13", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "21", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "21", + "panelRefName": "panel_14", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + -0.3515602939922709, + 0 + ], + "mapZoom": 1 + }, + "gridData": { + "h": 24, + "i": "24", + "w": 24, + "x": 0, + "y": 92 + }, + "panelIndex": "24", + "panelRefName": "panel_15", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "mapCenter": [ + -0.3515602939922709, + 0 + ], + "mapZoom": 1 + }, + "gridData": { + "h": 24, + "i": "25", + "w": 24, + "x": 24, + "y": 92 + }, + "panelIndex": "25", + "panelRefName": "panel_16", + "version": "7.3.0" + } + ], + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat CEF] Network Overview Dashboard", + "version": 1 + }, + "id": "dd0bc9af-2e89-4150-9b42-62517ea56b71", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "f5258de9-71f7-410f-b713-201007f77470", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "0abfc226-535b-45a2-b534-e9bc87e5584f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "a97e3628-022b-46cf-8f29-a73cf9bb4e26", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "499f50ba-2f84-4f7c-9021-73a4efc47921", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "d061c7a9-7f92-4bf4-b35c-499b9f4b987a", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "b1002b5c-08fc-4bbe-b9a0-6243a8637e60", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "df056709-2deb-4363-ae7a-b0148ea456c6", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "e89a64e8-928c-41fc-8745-3c8157b21cdb", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "a729c249-8d34-4eb1-bbb0-5d25cf224114", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "3c19f138-2ab3-4ecb-bb1b-86fb90158042", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "e513c269-350c-40c3-ac20-16c5782103b8", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "8f6075c5-f525-4173-92a4-3a56e96e362d", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "013ff153-7b80-490b-8fec-6e56cba785ed", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "c394e650-b16c-407c-b305-bd409d69d433", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "8b31af8b-522e-41fe-b9d6-9a3451b54108", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "4fccee0c-7193-4aa8-919f-0b0b0a16d013", + "name": "panel_16", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMDcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Application Protocols [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.application", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "hideLabel": false, + "maxFontSize": 72, + "minFontSize": 26, + "orientation": "single", + "scale": "square root" + }, + "title": "Top 10 Application Protocols [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "f5258de9-71f7-410f-b713-201007f77470", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMDgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Bandwidth Utilization [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color": null, + "bar_color_rules": [ + { + "id": "23db5bf6-f787-474e-86ab-76362432e984" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\" " + }, + "id": "ec53a1d3-213c-4b0f-a074-5005a84cdb83", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "bytes", + "id": "d27f09dc-b07e-493f-a223-a85033ad6548", + "label": "Inbound", + "line_width": 1, + "metrics": [ + { + "field": "source.bytes", + "id": "9ce9ec3a-2f11-4935-91b2-531494d2a619", + "type": "sum" + } + ], + "override_index_pattern": 1, + "point_size": 1, + "seperate_axis": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_mode": "everything", + "stacked": "none", + "terms_field": "observer.hostname", + "terms_order_by": "_count" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": 0.5, + "formatter": "bytes", + "id": "b1ef2c75-5916-469d-8790-5b213367a5a0", + "label": "Outbound", + "line_width": 1, + "metrics": [ + { + "field": "destination.bytes", + "id": "11b1852f-9b62-4e96-8128-522e6c5bf16d", + "type": "sum" + }, + { + "id": "2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b", + "script": "params.outbound \u003e 0 ? params.outbound * -1 : 0", + "type": "calculation", + "variables": [ + { + "field": "11b1852f-9b62-4e96-8128-522e6c5bf16d", + "id": "c57067f2-2927-41d8-97f4-9f47b3b3bcae", + "name": "outbound" + } + ] + } + ], + "override_index_pattern": 1, + "point_size": 1, + "seperate_axis": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_mode": "everything", + "stacked": "none", + "steps": 0 + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Bandwidth Utilization [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "0abfc226-535b-45a2-b534-e9bc87e5584f", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMDksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Source [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color": null, + "background_color_rules": [ + { + "id": "2fddda5e-d6fc-4581-bbb7-574e1017ae8f" + } + ], + "bar_color_rules": [ + { + "id": "23db5bf6-f787-474e-86ab-76362432e984" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceType:\"Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\"" + }, + "gauge_color_rules": [ + { + "id": "3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "ec53a1d3-213c-4b0f-a074-5005a84cdb83", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": "0", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\"" + }, + "formatter": "number", + "id": "04c44192-1112-4515-a8d9-e9e13215aecf", + "label": "Events", + "line_width": "3", + "metrics": [ + { + "id": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "gamma": 0.3, + "id": "e5a48d9d-7834-4da7-8d78-7d4528136b9b", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "sigma": "", + "type": "moving_average", + "window": "10" + } + ], + "point_size": "0", + "seperate_axis": 1, + "split_filters": [ + { + "color": "rgba(244,78,59,1)", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\"" + }, + "id": "0c929603-fc92-4ebc-a963-fe2795417d89", + "label": "Firewall Events" + }, + { + "color": "rgba(254,146,0,1)", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/IDS/Network\"" + }, + "id": "7798827b-87ab-436b-9e62-9fe36143eb9b", + "label": "Intrusion Detection Events" + }, + { + "color": "rgba(252,220,0,1)", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/VPN\"" + }, + "id": "490f7ad7-8218-45f9-85a9-a4dd9ed7da13", + "label": "VPN" + } + ], + "split_mode": "filters", + "stacked": "none", + "steps": 0, + "terms_field": "observer.hostname", + "terms_order_by": null + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(0,156,224,1)", + "fill": "0.5", + "formatter": "number", + "id": "29d6131a-5143-4a64-b597-9538692f0269", + "label": "Moving Average by Device Hosts", + "line_width": 1, + "metrics": [ + { + "id": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "gamma": 0.3, + "id": "87e21aaa-12eb-4213-bb37-41cb19219240", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "observer.hostname", + "terms_size": "10" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Source [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "a97e3628-022b-46cf-8f29-a73cf9bb4e26", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Outcome [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color": null, + "background_color_rules": [ + { + "id": "2fddda5e-d6fc-4581-bbb7-574e1017ae8f" + } + ], + "bar_color_rules": [ + { + "bar_color": null, + "id": "23db5bf6-f787-474e-86ab-76362432e984", + "value": 0 + } + ], + "drilldown_url": "", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceType:\"Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\"" + }, + "gauge_color_rules": [ + { + "id": "3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "ec53a1d3-213c-4b0f-a074-5005a84cdb83", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(211,49,21,1)", + "fill": "0", + "filter": { + "language": "lucene", + "query": "(cef.extensions.categoryDeviceGroup:\"/Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\") AND _exists_:cef.extensions.categoryOutcome" + }, + "formatter": "number", + "id": "04c44192-1112-4515-a8d9-e9e13215aecf", + "label": "Events", + "line_width": "3", + "metrics": [ + { + "id": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "gamma": 0.3, + "id": "c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": "0", + "seperate_axis": 0, + "split_filters": [ + { + "color": "rgba(254,146,0,1)", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\"" + }, + "id": "4c7aac7d-2749-41b6-8136-40dc8636a7e7", + "label": "Firewall" + } + ], + "split_mode": "filter", + "stacked": "none", + "steps": 0, + "terms_field": "observer.hostname", + "terms_order_by": null + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(104,188,0,1)", + "fill": "1", + "formatter": "number", + "id": "29d6131a-5143-4a64-b597-9538692f0269", + "label": "Moving Average by Event Outcome", + "line_width": 1, + "metrics": [ + { + "id": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_filters": [ + { + "color": "rgba(104,188,0,0.35)", + "filter": "cef.extensions.categoryOutcome:\"/Success\"", + "id": "cb1ae397-13a0-4b6f-a848-bcdc96870f05", + "label": "Success" + }, + { + "color": "rgba(244,78,59,1)", + "filter": "cef.extensions.categoryOutcome:\"/Failure\"", + "id": "ef021c15-1b95-4334-bc3c-e2950e9b0f6f", + "label": "Failure" + }, + { + "color": "rgba(0,156,224,1)", + "filter": "cef.extensions.categoryOutcome:\"/Attempt\"", + "id": "2ff1e859-b178-4824-a0f2-69a115932b98", + "label": "Attempt" + } + ], + "split_mode": "filters", + "stacked": "stacked", + "terms_field": "cef.extensions.categoryOutcome", + "terms_size": "3" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Outcome [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "499f50ba-2f84-4f7c-9021-73a4efc47921", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Devices", + "field": "observer.hostname" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Sources", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Destinations", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": false, + "addTooltip": true, + "fontSize": "30", + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "12", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "handleNoResults": true, + "type": "gauge" + }, + "title": "Device Metrics Overview [Filebeat CEF]", + "type": "metric" + } + }, + "id": "d061c7a9-7f92-4bf4-b35c-499b9f4b987a", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Outcome by Device Type [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Firewall Types", + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Outcome", + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 3 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "rotate": 75, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Firewall Types" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "orderBucketsBySum": true, + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "percentage", + "type": "square root" + }, + "show": true, + "style": {}, + "title": {}, + "type": "value" + } + ] + }, + "title": "Outcome by Device Type [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "b1002b5c-08fc-4bbe-b9a0-6243a8637e60", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcome [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Protocols", + "field": "destination.port", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "rotate": 75, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Protocols" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "percentage", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Destination Ports by Outcome [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "df056709-2deb-4363-ae7a-b0148ea456c6", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Bandwidth [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device", + "field": "observer.hostname", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Source(s)", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Destination(s)", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Destination Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Bandwidth (Incoming)", + "field": "source.bytes" + }, + "schema": "metric", + "type": "sum" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Bandwidth (Outgoing)", + "field": "destination.bytes" + }, + "schema": "metric", + "type": "sum" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 10 Devices by Bandwidth [Filebeat CEF]", + "type": "table" + } + }, + "id": "e89a64e8-928c-41fc-8745-3c8157b21cdb", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Outcome [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0% - 17%": "rgb(255,255,204)", + "17% - 34%": "rgb(255,230,146)", + "34% - 50%": "rgb(254,191,90)", + "50% - 67%": "rgb(253,141,60)", + "67% - 84%": "rgb(244,61,37)", + "84% - 100%": "rgb(202,8,35)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Device Host Names", + "field": "observer.hostname", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Outcome", + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "colorSchema": "Yellow to Red", + "colorsNumber": 6, + "colorsRange": [], + "enableHover": true, + "invertColors": false, + "legendPosition": "right", + "percentageMode": true, + "setColorRange": false, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "color": "#555", + "rotate": 0, + "show": false + }, + "scale": { + "defaultYExtents": false, + "type": "linear" + }, + "show": false, + "type": "value" + } + ] + }, + "title": "Top 10 Devices by Outcome [Filebeat CEF]", + "type": "heatmap" + } + }, + "id": "a729c249-8d34-4eb1-bbb0-5d25cf224114", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Device Type Breakdown [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Firewall Types", + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right" + }, + "title": "Device Type Breakdown [Filebeat CEF]", + "type": "pie" + } + }, + "id": "3c19f138-2ab3-4ecb-bb1b-86fb90158042", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Device Types [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color": null, + "background_color_rules": [ + { + "id": "2fddda5e-d6fc-4581-bbb7-574e1017ae8f" + } + ], + "bar_color_rules": [ + { + "id": "23db5bf6-f787-474e-86ab-76362432e984" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceType:\"Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\"" + }, + "gauge_color_rules": [ + { + "id": "3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "ec53a1d3-213c-4b0f-a074-5005a84cdb83", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(211,49,21,1)", + "fill": "0", + "filter": "", + "formatter": "number", + "id": "04c44192-1112-4515-a8d9-e9e13215aecf", + "label": "Events", + "line_width": "3", + "metrics": [ + { + "id": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "gamma": 0.3, + "id": "e5a48d9d-7834-4da7-8d78-7d4528136b9b", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "sigma": "", + "type": "moving_average", + "window": "10" + } + ], + "point_size": "0", + "seperate_axis": 1, + "split_filters": [ + { + "color": "rgba(244,78,59,1)", + "filter": "cef.extensions.categoryDeviceGroup:\"/Firewall\"", + "id": "78bfdf07-ec02-4dd8-8ff4-b7e250c561c2", + "label": "Firewall" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "observer.hostname", + "terms_order_by": null + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(251,158,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "29d6131a-5143-4a64-b597-9538692f0269", + "label": "Top Device Types by Mvg Averages", + "line_width": 1, + "metrics": [ + { + "id": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "gamma": 0.3, + "id": "87e21aaa-12eb-4213-bb37-41cb19219240", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_mode": "terms", + "stacked": "none", + "terms_field": "cef.extensions.categoryDeviceType", + "terms_size": "10" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Device Types [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "e513c269-350c-40c3-ac20-16c5782103b8", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Events [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Events" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Country", + "field": "source.geo.country_iso_code", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Source Addresses", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Destination Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 10 Source Countries by Events [Filebeat CEF]", + "type": "table" + } + }, + "id": "8f6075c5-f525-4173-92a4-3a56e96e362d", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMTksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Source Countries [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "source.geo.country_iso_code", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "hideLabel": false, + "maxFontSize": 72, + "minFontSize": 26, + "orientation": "single", + "scale": "square root" + }, + "title": "Top 20 Source Countries [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "013ff153-7b80-490b-8fec-6e56cba785ed", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMjAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Network - Event Throughput [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color_rules": [ + { + "id": "3eadd451-5033-423f-88e3-814cc5e50b50" + } + ], + "bar_color_rules": [ + { + "id": "8d4596c5-49ad-429b-af54-5451b1c2e8d4" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceType:\"Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "4d957654-cc7e-4ef3-8b29-61c0aeadd51a", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "", + "gauge_style": "half", + "gauge_width": 10, + "id": "73968651-c41e-473e-a153-a025f49d1a1b", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "90d7621e-3265-4fe8-8882-8df9605ea659", + "label": "Event Throughput", + "line_width": 1, + "metrics": [ + { + "id": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "type": "count" + }, + { + "field": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "id": "ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19", + "type": "cumulative_sum" + }, + { + "field": "ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19", + "id": "6db67bc1-7fff-47e7-a931-f797b1f76732", + "type": "derivative", + "unit": "1s" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "6db67bc1-7fff-47e7-a931-f797b1f76732", + "gamma": 0.3, + "id": "92bc1447-2b30-498c-ae8a-c67904fc82b2", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} / s" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "gauge" + }, + "title": "Network - Event Throughput [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "markdown": "[Network Overview](#/dashboard/dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/56428e01-0c47-4770-8ba4-9345a029ea41)" + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "type": "markdown" + } + }, + "id": "c394e650-b16c-407c-b305-bd409d69d433", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMjIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Destination Locations by Events [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "customLabel": "Destination Location", + "field": "destination.geo.location", + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 0, + "heatMinOpacity": 0.1, + "heatNormalizeData": true, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Shaded Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Top Destination Locations by Events [Filebeat CEF]", + "type": "tile_map" + } + }, + "id": "8b31af8b-522e-41fe-b9d6-9a3451b54108", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMjMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top Source Locations by Events [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "customLabel": "Source Location", + "field": "source.geo.location", + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 0, + "heatMinOpacity": 0.1, + "heatNormalizeData": true, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Shaded Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Top Source Locations by Events [Filebeat CEF]", + "type": "tile_map" + } + }, + "id": "4fccee0c-7193-4aa8-919f-0b0b0a16d013", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMjQsMV0=" + }, + { + "attributes": { + "columns": [ + "priority", + "message", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.application", + "message", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "deviceAddress", + "cef.device.product", + "cef.device.vendor", + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "query_string": { + "analyze_wildcard": true, + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\"" + } + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Network Events [Filebeat CEF]", + "version": 1 + }, + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-10-25T16:30:05.361Z", + "version": "WzEzMjUsMV0=" + } + ], + "version": "7.4.1" +} diff --git a/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-suspicious-activity.json b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-suspicious-activity.json new file mode 100644 index 000000000000..a8e733d27380 --- /dev/null +++ b/x-pack/filebeat/module/cef/_meta/kibana/7/dashboard/filebeat-cef-network-suspicious-activity.json @@ -0,0 +1,1614 @@ +{ + "objects": [ + { + "attributes": { + "description": "Suspicious network activity overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "colors": { + "Destination Addresses": "#E0752D", + "Destination Ports": "#E24D42" + }, + "legendOpen": false + } + }, + "gridData": { + "h": 12, + "i": "1", + "w": 32, + "x": 0, + "y": 28 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 12, + "i": "2", + "w": 16, + "x": 0, + "y": 40 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 12, + "i": "3", + "w": 16, + "x": 16, + "y": 40 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "5", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "5", + "panelRefName": "panel_3", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "colors": { + "/Attempt": "#0A50A1", + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "gridData": { + "h": 12, + "i": "9", + "w": 16, + "x": 32, + "y": 28 + }, + "panelIndex": "9", + "panelRefName": "panel_4", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 8, + "i": "11", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "11", + "panelRefName": "panel_5", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "12", + "w": 24, + "x": 0, + "y": 52 + }, + "panelIndex": "12", + "panelRefName": "panel_6", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "13", + "w": 24, + "x": 24, + "y": 52 + }, + "panelIndex": "13", + "panelRefName": "panel_7", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "14", + "w": 16, + "x": 32, + "y": 40 + }, + "panelIndex": "14", + "panelRefName": "panel_8", + "version": "7.3.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "15", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "15", + "panelRefName": "panel_9", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "gridData": { + "h": 8, + "i": "16", + "w": 40, + "x": 0, + "y": 4 + }, + "panelIndex": "16", + "panelRefName": "panel_10", + "version": "7.3.0" + }, + { + "embeddableConfig": { + "vis": { + "defaultColors": { + "0 - 50": "rgb(255,255,204)", + "100 - 200": "rgb(253,141,60)", + "200 - 300": "rgb(227,27,28)", + "300 - 400": "rgb(128,0,38)", + "50 - 100": "rgb(254,217,118)" + } + } + }, + "gridData": { + "h": 8, + "i": "17", + "w": 8, + "x": 40, + "y": 4 + }, + "panelIndex": "17", + "panelRefName": "panel_11", + "version": "7.3.0" + } + ], + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Filebeat CEF] Network Suspicious Activity Dashboard", + "version": 1 + }, + "id": "db1e1aca-279e-4ecc-b84e-fe58644f7619", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "fa8b26c1-6973-4381-adb3-bcde0d03a520", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "f03d734b-b85c-4e99-9c0e-9c89716a81f3", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "fff249b2-18b6-4b48-bcf7-dd4595d111e7", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "d02dd523-ce91-40e9-9209-83797f80ed45", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "589fec8c-336e-4122-8fef-a450bddf84f6", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "86bd5f13-ca6b-43fa-b209-54e7460344bb", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "1204cf27-05e0-4905-bfa1-688aaaaaa840", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "01c3618c-9962-4fe9-b9c5-f73dfecc6eba", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "name": "panel_11", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMjYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Unique Destinations and Ports by Source [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Addresses", + "field": "source.ip", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Destination Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Source Addresses" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Destination Addresses" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + }, + { + "data": { + "id": "3", + "label": "Destination Ports" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-2" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Destination Addresses" + }, + "type": "value" + }, + { + "id": "ValueAxis-2", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "RightAxis-1", + "position": "right", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Destination Ports" + }, + "type": "value" + } + ] + }, + "title": "Unique Destinations and Ports by Source [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "fa8b26c1-6973-4381-adb3-bcde0d03a520", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMjcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Addresses [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Source Address", + "field": "source.ip", + "order": "desc", + "orderBy": "2", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 5 Sources by Destination Addresses [Filebeat CEF]", + "type": "table" + } + }, + "id": "82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMjgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Ports [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Source Address", + "field": "source.ip", + "order": "desc", + "orderBy": "2", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top 5 Sources by Destination Ports [Filebeat CEF]", + "type": "table" + } + }, + "id": "f03d734b-b85c-4e99-9c0e-9c89716a81f3", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMjksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Severity [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "bar_color_rules": [ + { + "id": "0ca18a89-9c81-4bee-835a-85e6103aec37" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\"" + }, + "id": "c39a76e5-f613-41a9-8335-c442747791e0", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "0.0[0]a", + "id": "da3b92b4-2c24-473b-9102-fb5a343a96d9", + "label": "Event by Severities", + "line_width": 1, + "metrics": [ + { + "id": "0d189776-3f7c-4a92-95b1-73c379a341fc", + "type": "count" + }, + { + "field": "0d189776-3f7c-4a92-95b1-73c379a341fc", + "id": "1b1c931c-a09b-4980-af81-6f9c3db56401", + "sigma": "", + "type": "sum_bucket" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_filters": [ + { + "color": "rgba(104,204,202,1)", + "filter": "severity:\"Low\" OR severity:\"0\"", + "id": "ebe970ac-5cc9-4c4a-af60-82affafc667c", + "label": "LOW" + }, + { + "color": "rgba(252,220,0,1)", + "filter": "severity:\"Medium\"", + "id": "0c4ff16a-b53d-4ce4-af76-d6b74d8788db", + "label": "MEDIUM" + }, + { + "color": "rgba(254,146,0,1)", + "filter": "severity:\"High\"", + "id": "e142c55b-6ee5-416a-8bd3-d10398044864", + "label": "HIGH" + }, + { + "color": "rgba(244,78,59,1)", + "filter": "severity:\"Very-High\"", + "id": "4b05b562-c419-4214-b814-d4c242251521", + "label": "VERY HIGH" + } + ], + "split_mode": "filters", + "stacked": "none" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "top_n" + }, + "title": "Events by Severity [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Outcome by Device Type [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "colors": { + "/Failure": "#BF1B00", + "/Success": "#629E51" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Firewall Types", + "field": "cef.extensions.categoryDeviceType", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Event Outcome", + "field": "cef.extensions.categoryOutcome", + "order": "desc", + "orderBy": "1", + "size": 3 + }, + "schema": "group", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "rotate": 75, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Firewall Types" + }, + "type": "category" + } + ], + "defaultYExtents": false, + "drawLinesBetweenPoints": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "interpolate": "linear", + "legendPosition": "right", + "orderBucketsBySum": true, + "radiusRatio": 9, + "scale": "linear", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "setYExtents": false, + "showCircles": true, + "times": [], + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "percentage", + "type": "square root" + }, + "show": true, + "style": {}, + "title": {}, + "type": "value" + } + ] + }, + "title": "Outcome by Device Type [Filebeat CEF]", + "type": "histogram" + } + }, + "id": "fff249b2-18b6-4b48-bcf7-dd4595d111e7", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Events by Source Addresses [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color": null, + "background_color_rules": [ + { + "id": "a0bf5a1d-8ebf-49d4-a347-738a6ce20562" + } + ], + "bar_color_rules": [ + { + "id": "23db5bf6-f787-474e-86ab-76362432e984" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\" " + }, + "gauge_color_rules": [ + { + "id": "42f84a0a-ee13-4ca8-b61d-3de482ae4ab0" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "ec53a1d3-213c-4b0f-a074-5005a84cdb83", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(211,49,21,1)", + "fill": "0", + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceGroup:\"/Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\" " + }, + "formatter": "number", + "id": "04c44192-1112-4515-a8d9-e9e13215aecf", + "label": "Events", + "line_width": "3", + "metrics": [ + { + "id": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "c5dbb050-fc10-4a0d-abe0-bc093db6cf0e", + "gamma": 0.3, + "id": "117fde19-e227-4fcb-8019-e82e6677c340", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "sigma": "", + "type": "moving_average", + "window": "10" + } + ], + "point_size": "0", + "seperate_axis": 1, + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "observer.hostmessage", + "terms_order_by": null, + "value_template": "{{value}}" + }, + { + "axis_position": "left", + "chart_type": "bar", + "color": "rgba(104,188,0,1)", + "fill": "0.5", + "formatter": "number", + "id": "3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b", + "label": "Top Source Addresses", + "line_width": "0", + "metrics": [ + { + "id": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "type": "count" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "dc74afdf-64ad-47d6-bbed-114e09d12255", + "gamma": 0.3, + "id": "b753ad38-c3ed-4463-8f6d-176f4d477897", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 1, + "split_mode": "terms", + "stacked": "none", + "terms_field": "source.ip", + "terms_size": "10" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Events by Source Addresses [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "d02dd523-ce91-40e9-9209-83797f80ed45", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Addresses [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Addresses", + "field": "source.ip", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Source Addresses [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "589fec8c-336e-4122-8fef-a450bddf84f6", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Addresses [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.ip", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Destination Addresses [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "86bd5f13-ca6b-43fa-b209-54e7460344bb", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Ports [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Destination Addresses", + "field": "destination.port", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Top 10 Destination Ports [Filebeat CEF]", + "type": "tagcloud" + } + }, + "id": "1204cf27-05e0-4905-bfa1-688aaaaaa840", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "markdown": "[Network Overview](#/dashboard/dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/56428e01-0c47-4770-8ba4-9345a029ea41)" + }, + "title": " Dashboard Navigation [Filebeat CEF]", + "type": "markdown" + } + }, + "id": "677891a1-90c4-4273-b126-f0e54689bd76", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Filebeat CEF]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "8", + "params": { + "customLabel": "Event Count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Devices", + "field": "observer.hostname" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Sources", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Destinations", + "field": "destination.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "7", + "params": { + "customLabel": "Ports", + "field": "destination.port" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "listeners": {}, + "params": { + "addLegend": false, + "addTooltip": true, + "fontSize": "30", + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "12", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "handleNoResults": true, + "type": "gauge" + }, + "title": "Device Metrics Overview [Filebeat CEF]", + "type": "metric" + } + }, + "id": "01c3618c-9962-4fe9-b9c5-f73dfecc6eba", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [ + { + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "query_string": { + "query": "*" + } + } + } + }, + "title": "Network - Event Throughput [Filebeat CEF]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "listeners": {}, + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color_rules": [ + { + "id": "3eadd451-5033-423f-88e3-814cc5e50b50" + } + ], + "bar_color_rules": [ + { + "id": "8d4596c5-49ad-429b-af54-5451b1c2e8d4" + } + ], + "filter": { + "language": "lucene", + "query": "cef.extensions.categoryDeviceType:\"Firewall\" OR cef.extensions.categoryDeviceGroup:\"/IDS/Network\" OR cef.extensions.categoryDeviceGroup:\"/VPN\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "4d957654-cc7e-4ef3-8b29-61c0aeadd51a", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "", + "gauge_style": "half", + "gauge_width": 10, + "id": "73968651-c41e-473e-a153-a025f49d1a1b", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": 0.5, + "formatter": "number", + "id": "90d7621e-3265-4fe8-8882-8df9605ea659", + "label": "Event Throughput", + "line_width": 1, + "metrics": [ + { + "id": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "type": "count" + }, + { + "field": "ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba", + "id": "ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19", + "type": "cumulative_sum" + }, + { + "field": "ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19", + "id": "6db67bc1-7fff-47e7-a931-f797b1f76732", + "type": "derivative", + "unit": "1s" + }, + { + "alpha": 0.3, + "beta": 0.1, + "field": "6db67bc1-7fff-47e7-a931-f797b1f76732", + "gamma": 0.3, + "id": "92bc1447-2b30-498c-ae8a-c67904fc82b2", + "model_type": "simple", + "multiplicative": false, + "period": 1, + "type": "moving_average", + "window": "10" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} / s" + } + ], + "show_legend": 1, + "time_field": "@timestamp", + "type": "gauge" + }, + "title": "Network - Event Throughput [Filebeat CEF]", + "type": "metrics" + } + }, + "id": "33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-10-25T16:30:06.345Z", + "version": "WzEzMzgsMV0=" + }, + { + "attributes": { + "columns": [ + "priority", + "message", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.application", + "message", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "deviceAddress", + "cef.device.product", + "cef.device.vendor", + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}" + }, + "query": { + "terms": { + "cef.extensions.categoryDeviceGroup": [ + "/VPN", + "/IDS/Network", + "/Firewall" + ] + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Network Events [Filebeat CEF]", + "version": 1 + }, + "id": "68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2019-10-25T16:31:42.748Z", + "version": "WzE0NzMsMV0=" + } + ], + "version": "7.4.1" +} diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index 6d3efc46376e..4127423e5886 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -5,15 +5,15 @@ "cef.device.vendor": "Elastic", "cef.device.version": "1.0.0-alpha", "cef.extensions.destinationAddress": "192.168.10.1", - "cef.extensions.destinationPort": "443", - "cef.extensions.eventId": "3457", + "cef.extensions.destinationPort": 443, + "cef.extensions.eventId": 3457, "cef.extensions.requestContext": "https://www.google.com", "cef.extensions.requestMethod": "POST", "cef.extensions.requestUrl": "https://www.example.com/cart", "cef.extensions.sourceAddress": "6.7.8.9", - "cef.extensions.sourceGeoLatitude": "38.915", - "cef.extensions.sourceGeoLongitude": "-77.511", - "cef.extensions.sourcePort": "33876", + "cef.extensions.sourceGeoLatitude": 38.915, + "cef.extensions.sourceGeoLongitude": -77.511, + "cef.extensions.sourcePort": 33876, "cef.extensions.sourceServiceName": "httpd", "cef.extensions.transportProtocol": "TCP", "cef.name": "Web request", diff --git a/x-pack/filebeat/processors/decode_cef/_meta/fields.yml b/x-pack/filebeat/processors/decode_cef/_meta/fields.yml index f57557d7ad25..3deb1c2a9517 100644 --- a/x-pack/filebeat/processors/decode_cef/_meta/fields.yml +++ b/x-pack/filebeat/processors/decode_cef/_meta/fields.yml @@ -49,10 +49,679 @@ Short description of the event. - name: extensions - type: object - object_type: keyword + type: group description: > Collection of key-value pairs carried in the CEF extension field. + default_field: false + fields: + - name: agentAddress + type: ip + description: The IP address of the ArcSight connector that processed the event. + + - name: agentDnsDomain + type: keyword + description: The DNS domain name of the ArcSight connector that processed the event. + + - name: agentHostName + type: keyword + description: The hostname of the ArcSight connector that processed the event. + + - name: agentId + type: keyword + description: The agent ID of the ArcSight connector that processed the event. + + - name: agentMacAddress + type: keyword + description: The MAC address of the ArcSight connector that processed the event. + + - name: agentNtDomain + type: keyword + description: + + - name: agentReceiptTime + type: date + description: The time at which information about the event was received by the ArcSight connector. + + - name: agentTimeZone + type: keyword + description: The agent time zone of the ArcSight connector that processed the event. + + - name: agentTranslatedAddress + type: ip + description: + + - name: agentTranslatedZoneExternalID + type: keyword + description: + + - name: agentTranslatedZoneURI + type: keyword + description: + + - name: agentType + type: keyword + description: The agent type of the ArcSight connector that processed the event + + - name: agentVersion + type: keyword + description: The version of the ArcSight connector that processed the event. + + - name: agentZoneExternalID + type: keyword + description: + + - name: agentZoneURI + type: keyword + description: + + - name: applicationProtocol + type: keyword + description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. + + - name: baseEventCount + type: long + description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. + + - name: bytesIn + type: long + description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. + + - name: bytesOut + type: long + description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + + - name: customerExternalID + type: keyword + description: + + - name: customerURI + type: keyword + description: + + - name: destinationAddress + type: ip + description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. + + - name: destinationDnsDomain + type: keyword + description: The DNS domain part of the complete fully qualified domain name (FQDN). + + - name: destinationGeoLatitude + type: double + description: The latitudinal value from which the destination's IP address belongs. + + - name: destinationGeoLongitude + type: double + description: The longitudinal value from which the destination's IP address belongs. + + - name: destinationHostName + type: keyword + description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. + + - name: destinationMacAddress + type: keyword + description: Six colon-seperated hexadecimal numbers. + + - name: destinationNtDomain + type: keyword + description: The Windows domain name of the destination address. + + - name: destinationPort + type: long + description: The valid port numbers are between 0 and 65535. + + - name: destinationProcessId + type: long + description: Provides the ID of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID. + + - name: destinationProcessName + type: keyword + description: The name of the event's destination process. + + - name: destinationServiceName + type: keyword + description: The service targeted by this event. + + - name: destinationTranslatedAddress + type: ip + description: Identifies the translated destination that the event refers to in an IP network. + + - name: destinationTranslatedPort + type: long + description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. + + - name: destinationTranslatedZoneExternalID + type: keyword + description: + + - name: destinationTranslatedZoneURI + type: keyword + description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + + - name: destinationUserId + type: keyword + description: Identifies the destination user by ID. For example, in UNIX, the root user is generally associated with user ID 0. + + - name: destinationUserName + type: keyword + description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. + + - name: destinationUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". + + - name: destinationZoneExternalID + type: keyword + description: + + - name: destinationZoneURI + type: keyword + description: The URI for the Zone that the destination asset has been assigned to in ArcSight. + + - name: deviceAction + type: keyword + description: Action taken by the device. + + - name: deviceAddress + type: ip + description: Identifies the device address that an event refers to in an IP network. + + - name: deviceCustomFloatingPoint1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomFloatingPoint3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomFloatingPoint4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomDate1 + type: date + description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomDate1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomDate2 + type: date + description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomDate2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomFloatingPoint1 + type: double + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomFloatingPoint2 + type: double + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomFloatingPoint2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomFloatingPoint3 + type: double + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomFloatingPoint4 + type: double + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomIPv6Address1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomIPv6Address4 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomIPv6Address4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomIPv6Address1 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomIPv6Address3 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + + - name: deviceCustomIPv6Address3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomNumber1 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomNumber1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: DeviceCustomNumber2 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomNumber2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomNumber3 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomNumber3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString1 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString2 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString3 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString4 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString5 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString5Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceCustomString6 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + + - name: deviceCustomString6Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + + - name: deviceDirection + type: long + description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. + + - name: deviceDnsDomain + type: keyword + description: The DNS domain part of the complete fully qualified domain name (FQDN). + + - name: deviceEventCategory + type: keyword + description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". + + - name: deviceExternalId + type: keyword + description: A name that uniquely identifies the device generating this event. + + - name: deviceFacility + type: keyword + description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. + + - name: deviceHostName + type: keyword + description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. + + - name: deviceInboundInterface + type: keyword + description: Interface on which the packet or data entered the device. + + - name: deviceMacAddress + type: keyword + description: Six colon-separated hexadecimal numbers. + + - name: deviceNtDomain + type: keyword + description: The Windows domain name of the device address. + + - name: deviceOutboundInterface + type: keyword + description: Interface on which the packet or data left the device. + + - name: devicePayloadId + type: keyword + description: Unique identifier for the payload associated with the event. + + - name: deviceProcessId + type: long + description: Provides the ID of the process on the device generating the event. + + - name: deviceProcessName + type: keyword + description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. + + - name: deviceReceiptTime + type: date + description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + + - name: deviceTimeZone + type: keyword + description: The timezone for the device generating the event. + + - name: deviceTranslatedAddress + type: ip + description: Identifies the translated device address that the event refers to in an IP network. + + - name: deviceTranslatedZoneExternalID + type: keyword + description: + + - name: deviceTranslatedZoneURI + type: keyword + description: The URI for the Translated Zone that the device asset has been assigned to in ArcSight. + + - name: deviceZoneExternalID + type: keyword + description: + + - name: deviceZoneURI + type: keyword + description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. + + - name: endTime + type: date + description: The time at which the activity related to the event ended. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st1970). An example would be reporting the end of a session. + + - name: eventId + type: long + description: This is a unique ID that ArcSight assigns to each event. + + - name: eventOutcome + type: keyword + description: Displays the outcome, usually as 'success' or 'failure'. + + - name: externalId + type: keyword + description: The ID used by an originating device. They are usually increasing numbers, associated with events. + + - name: fileCreateTime + type: date + description: Time when the file was created. + + - name: fileHash + type: keyword + description: Hash of a file. + + - name: fileId + type: keyword + description: An ID associated with a file could be the inode. + + - name: fileModificationTime + type: date + description: Time when the file was last modified. + + - name: filename + type: keyword + description: Name of the file only (without its path). + + - name: filePath + type: keyword + description: Full path to the file, including file name itself. + + - name: filePermission + type: keyword + description: Permissions of the file. + + - name: fileSize + type: long + description: Size of the file. + + - name: fileType + type: keyword + description: Type of file (pipe, socket, etc.) + + - name: flexDate1 + type: date + description: A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + + - name: flexDate1Label + type: keyword + description: The label field is a string and describes the purpose of the flex field. + + - name: flexString1 + type: keyword + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + + - name: flexString2 + type: keyword + description: One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary. + + - name: flexString1Label + type: keyword + description: The label field is a string and describes the purpose of the flex field. + + - name: flexString2Label + type: keyword + description: The label field is a string and describes the purpose of the flex field. + + - name: message + type: keyword + description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. + + - name: oldFileCreateTime + type: date + description: Time when old file was created. + + - name: oldFileHash + type: keyword + description: Hash of the old file. + + - name: oldFileId + type: keyword + description: An ID associated with the old file could be the inode. + + - name: oldFileModificationTime + type: date + description: Time when old file was last modified. + + - name: oldFileName + type: keyword + description: Name of the old file. + + - name: oldFilePath + type: keyword + description: Full path to the old file, including the file name itself. + + - name: oldFilePermission + type: keyword + description: Permissions of the old file. + + - name: oldFileSize + type: long + description: Size of the old file. + + - name: oldFileType + type: keyword + description: Type of the old file (pipe, socket, etc.) + + - name: rawEvent + type: keyword + description: + + - name: Reason + type: keyword + description: The reason an audit event was generated. For example "bad password" or "unknown user". This could also be an error or return code. Example "0x1234". + + - name: requestClientApplication + type: keyword + description: The User-Agent associated with the request. + + - name: requestContext + type: keyword + description: Description of the content from which the request originated (for example, HTTP Referrer) + + - name: requestCookies + type: keyword + description: Cookies associated with the request. + + - name: requestMethod + type: keyword + description: The HTTP method used to access a URL. + + - name: requestUrl + type: keyword + description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. + + - name: sourceAddress + type: ip + description: Identifies the source that an event refers to in an IP network. + + - name: sourceDnsDomain + type: keyword + description: The DNS domain part of the complete fully qualified domain name (FQDN). + + - name: sourceGeoLatitude + type: double + description: + + - name: sourceGeoLongitude + type: double + description: + + - name: sourceHostName + type: keyword + description: > + Identifies the source that an event refers to in an IP network. + The format should be a fully qualified domain name (FQDN) associated with the source node, when a + mode is available. Examples: 'host' or 'host.domain.com'. + + - name: sourceMacAddress + type: keyword + example: "00:0d:60:af:1b:61" + description: Six colon-separated hexadecimal numbers. + + - name: sourceNtDomain + type: keyword + description: The Windows domain name for the source address. + + - name: sourcePort + type: long + description: The valid port numbers are 0 to 65535. + + - name: sourceProcessId + type: long + description: The ID of the source process associated with the event. + + - name: sourceProcessName + type: keyword + description: The name of the event's source process. + + - name: sourceServiceName + type: keyword + description: The service that is responsible for generating this event. + + - name: sourceTranslatedAddress + type: ip + description: Identifies the translated source that the event refers to in an IP network. + + - name: sourceTranslatedPort + type: long + description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. + + - name: sourceTranslatedZoneExternalID + type: keyword + description: + + - name: sourceTranslatedZoneURI + type: keyword + description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + + - name: sourceUserId + type: keyword + description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + + - name: sourceUserName + type: keyword + description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. + + - name: sourceUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". + + - name: sourceZoneExternalID + type: keyword + description: + + - name: sourceZoneURI + type: keyword + description: The URI for the Zone that the source asset has been assigned to in ArcSight. + + - name: startTime + type: date + description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + + - name: transportProtocol + type: keyword + description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. + + - name: type + type: long + description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). + + # ArcSight fields. + - name: categoryDeviceType + type: keyword + description: Device type. Examples - Proxy, IDS, Web Server + + - name: categoryObject + type: keyword + description: Object that the event is about. For example it can be an operating sytem, database, file, etc. + + - name: categoryBehavior + type: keyword + description: Action or a behavior associated with an event. It's what is being done to the object. + + - name: categoryTechnique + type: keyword + description: Technique being used (e.g. /DoS). + + - name: categoryDeviceGroup + type: keyword + description: General device group like Firewall. + + - name: categorySignificance + type: keyword + description: Characterization of the importance of the event. + + - name: categoryOutcome + type: keyword + description: Outcome of the event (e.g. sucess, failure, or attempt). + + - name: managerReceiptTime + type: date + description: When the Arcsight ESM received the event. - name: source.service.name type: keyword diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef.go b/x-pack/filebeat/processors/decode_cef/cef/cef.go index d5b82c03e050..c3cee5ff02d4 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/cef.go +++ b/x-pack/filebeat/processors/decode_cef/cef/cef.go @@ -4,7 +4,12 @@ package cef -import "bytes" +import ( + "bytes" + + "github.com/pkg/errors" + "go.uber.org/multierr" +) // Parser is generated from a ragel state machine using the following command: //go:generate ragel -Z -G1 cef.rl -o parser.go @@ -15,6 +20,13 @@ import "bytes" //go:generate ragel -V -p cef.rl -o cef.dot //go:generate dot -T svg cef.dot -o cef.svg +// Field is CEF extension field value. +type Field struct { + String string // Raw value. + Type DataType // Data type from CEF guide. + Interface interface{} // Converted value. +} + // Event is a single CEF message. type Event struct { // CEF version. @@ -44,7 +56,7 @@ type Event struct { // predefined set. The standard allows for including additional keys as // outlined in "ArcSight Extension Directory". An event can contain any // number of key-value pairs in any order. - Extensions map[string]string `json:"extensions,omitempty"` + Extensions map[string]*Field `json:"extensions,omitempty"` } func (e *Event) init() { @@ -60,9 +72,9 @@ func (e *Event) init() { func (e *Event) pushExtension(key []byte, value []byte) { if e.Extensions == nil { - e.Extensions = map[string]string{} + e.Extensions = map[string]*Field{} } - e.Extensions[string(key)] = string(value) + e.Extensions[string(key)] = &Field{String: string(value)} } // Unpack unpacks a common event format (CEF) message. The data is expected to @@ -93,21 +105,36 @@ func (e *Event) Unpack(data []byte, opts ...Option) error { opt.Apply(&settings) } - err := e.unpack(data) + var errs []error + var err error + if err = e.unpack(data); err != nil { + errs = append(errs, err) + } - if settings.fullExtensionNames { - for key, v := range e.Extensions { - fullName, found := fullNameMapping[key] - if !found || key == fullName { - continue - } + for key, field := range e.Extensions { + mapping, found := extensionMapping[key] + if !found { + continue + } + + // Mark the data type and do the actual conversion. + field.Type = mapping.Type + field.Interface, err = ToType(field.String, mapping.Type) + if err != nil { + // Drop the key because the field value is invalid. + delete(e.Extensions, key) + errs = append(errs, errors.Wrapf(err, "error in field '%v'", key)) + continue + } - e.Extensions[fullName] = v + // Rename extension. + if settings.fullExtensionNames && key != mapping.Target { + e.Extensions[mapping.Target] = field delete(e.Extensions, key) } } - return err + return multierr.Combine(errs...) } var ( diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go index 4e7f2c8f1306..a24e38d3aac3 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go @@ -10,6 +10,7 @@ import ( "flag" "io/ioutil" "path/filepath" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -87,11 +88,11 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "12.121.122.82", - "spt": "1232", - "eventId": "1", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "dst": IPField("12.121.122.82"), + "spt": IntegerField(1232), + "eventId": LongField(1), }, e.Extensions) }) @@ -120,10 +121,10 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "12.121.122.82", - "spt": "1232", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "dst": IPField("12.121.122.82"), + "spt": IntegerField(1232), }, e.Extensions) }) @@ -138,17 +139,17 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "12.121.122.82", - "spt": "1232", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "dst": IPField("12.121.122.82"), + "spt": IntegerField(1232), }, e.Extensions) }) t.Run("emptyExtensionValue", func(t *testing.T) { var e Event err := e.Unpack([]byte(emptyExtensionValue)) - assert.NoError(t, err) + assert.Error(t, err) assert.Equal(t, 26, e.Version) assert.Equal(t, "security", e.DeviceVendor) assert.Equal(t, "threatmanager", e.DeviceProduct) @@ -156,10 +157,9 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "", - "spt": "1232", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "spt": IntegerField(1232), }, e.Extensions) }) @@ -174,10 +174,10 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "12.121.122.82", - "spt": "1232", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "dst": IPField("12.121.122.82"), + "spt": IntegerField(1232), }, e.Extensions) }) @@ -208,10 +208,10 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "src": "10.0.0.192", - "dst": "12.121.122.82", - "spt": "1232", + assert.Equal(t, map[string]*Field{ + "src": IPField("10.0.0.192"), + "dst": IPField("12.121.122.82"), + "spt": IntegerField(1232), }, e.Extensions) }) @@ -226,8 +226,8 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "moo": "this|has an pipe", + assert.Equal(t, map[string]*Field{ + "moo": UndocumentedField("this|has an pipe"), }, e.Extensions) }) @@ -258,9 +258,9 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "100", e.DeviceEventClassID) assert.Equal(t, "trojan successfully stopped", e.Name) assert.Equal(t, "10", e.Severity) - assert.Equal(t, map[string]string{ - "msg": "a+b=c", - "x": `c\d=z`, + assert.Equal(t, map[string]*Field{ + "msg": StringField("a+b=c"), + "x": UndocumentedField(`c\d=z`), }, e.Extensions) }) @@ -274,17 +274,17 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "200", e.DeviceEventClassID) assert.Equal(t, "Success", e.Name) assert.Equal(t, "2", e.Severity) - assert.Equal(t, map[string]string{ - "rt": "Sep 07 2018 14:50:39", - "cat": "Access Log", - "dst": "1.1.1.1", - "dhost": "foo.example.com", - "suser": "redacted", - "src": "2.2.2.2", - "requestMethod": "POST", - "request": `'https://foo.example.com/bar/bingo/1'`, - "cs1": "", - "cs1Label": "Foo Bar", + assert.Equal(t, map[string]*Field{ + "rt": TimestampField("Sep 07 2018 14:50:39"), + "cat": StringField("Access Log"), + "dst": IPField("1.1.1.1"), + "dhost": StringField("foo.example.com"), + "suser": StringField("redacted"), + "src": IPField("2.2.2.2"), + "requestMethod": StringField("POST"), + "request": StringField(`'https://foo.example.com/bar/bingo/1'`), + "cs1": StringField(""), + "cs1Label": StringField("Foo Bar"), }, e.Extensions) // requestClientApplication is not valid because it contains an unescaped @@ -304,10 +304,10 @@ func TestEventUnpack(t *testing.T) { assert.Equal(t, "event_id", e.DeviceEventClassID) assert.Equal(t, "name", e.Name) assert.Equal(t, "Very-High", e.Severity) - assert.Equal(t, map[string]string{ - "msg": "Hello World", - "error": "Failed because", - "user": "root", + assert.Equal(t, map[string]*Field{ + "msg": StringField("Hello World"), + "error": UndocumentedField("Failed because"), + "user": UndocumentedField("root"), }, e.Extensions) // Both id and angle contain unescaped equals signs. @@ -328,11 +328,11 @@ func TestEventUnpackWithFullExtensionNames(t *testing.T) { var e Event err := e.Unpack([]byte(standardMessage), WithFullExtensionNames()) assert.NoError(t, err) - assert.Equal(t, map[string]string{ - "sourceAddress": "10.0.0.192", - "destinationAddress": "12.121.122.82", - "sourcePort": "1232", - "eventId": "1", + assert.Equal(t, map[string]*Field{ + "sourceAddress": IPField("10.0.0.192"), + "destinationAddress": IPField("12.121.122.82"), + "sourcePort": IntegerField(1232), + "eventId": LongField(1), }, e.Extensions) } @@ -348,3 +348,20 @@ func BenchmarkEventUnpack(b *testing.B) { e.Unpack(messages[i%len(messages)]) } } + +func IPField(v string) *Field { return &Field{String: v, Type: IPType, Interface: v} } +func StringField(v string) *Field { return &Field{String: v, Type: StringType, Interface: v} } +func IntegerField(v int32) *Field { + return &Field{String: strconv.Itoa(int(v)), Type: IntegerType, Interface: v} +} +func LongField(v int64) *Field { + return &Field{String: strconv.Itoa(int(v)), Type: LongType, Interface: v} +} +func UndocumentedField(v string) *Field { return &Field{String: v} } +func TimestampField(v string) *Field { + ts, err := toTimestamp(v) + if err != nil { + panic(err) + } + return &Field{String: v, Type: TimestampType, Interface: ts} +} diff --git a/x-pack/filebeat/processors/decode_cef/cef/keys.go b/x-pack/filebeat/processors/decode_cef/cef/keys.go index 3caad0b85fd0..f747c27fbd6a 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/keys.go +++ b/x-pack/filebeat/processors/decode_cef/cef/keys.go @@ -4,170 +4,656 @@ package cef -// fullNameMapping is a mapping of CEF key names to full field names. -// This mapping was generated from tables contained in "Micro Focus Security -// ArcSight Common Event Format Version 25" dated September 28, 2017. -var fullNameMapping = map[string]string{ - "agt": "agentAddress", - "agentDnsDomain": "agentDnsDomain", - "ahost": "agentHostName", - "aid": "agentId", - "amac": "agentMacAddress", - "agentNtDomain": "agentNtDomain", - "art": "agentReceiptTime", - "atz": "agentTimeZone", - "agentTranslatedAddress": "agentTranslatedAddress", - "agentTranslatedZoneExternalID": "agentTranslatedZoneExternalID", - "agentTranslatedZoneURI": "agentTranslatedZoneURI", - "at": "agentType", - "av": "agentVersion", - "agentZoneExternalID": "agentZoneExternalID", - "agentZoneURI": "agentZoneURI", - "app": "applicationProtocol", - "cnt": "baseEventCount", - "in": "bytesIn", - "out": "bytesOut", - "customerExternalID": "customerExternalID", - "customerURI": "customerURI", - "dst": "destinationAddress", - "destinationDnsDomain": "destinationDnsDomain", - "dlat": "destinationGeoLatitude", - "dlong": "destinationGeoLongitude", - "dhost": "destinationHostName", - "dmac": "destinationMacAddress", - "dntdom": "destinationNtDomain", - "dpt": "destinationPort", - "dpid": "destinationProcessId", - "dproc": "destinationProcessName", - "destinationServiceName": "destinationServiceName", - "destinationTranslatedAddress": "destinationTranslatedAddress", - "destinationTranslatedPort": "destinationTranslatedPort", - "destinationTranslatedZoneExternalID": "destinationTranslatedZoneExternalID", - "destinationTranslatedZoneURI": "destinationTranslatedZoneURI", - "duid": "destinationUserId", - "duser": "destinationUserName", - "dpriv": "destinationUserPrivileges", - "destinationZoneExternalID": "destinationZoneExternalID", - "destinationZoneURI": "destinationZoneURI", - "act": "deviceAction", - "dvc": "deviceAddress", - "cfp1Label": "deviceCustomFloatingPoint1Label", - "cfp3Label": "deviceCustomFloatingPoint3Label", - "cfp4Label": "deviceCustomFloatingPoint4Label", - "deviceCustomDate1": "deviceCustomDate1", - "deviceCustomDate1Label": "deviceCustomDate1Label", - "deviceCustomDate2": "deviceCustomDate2", - "deviceCustomDate2Label": "deviceCustomDate2Label", - "cfp1": "deviceCustomFloatingPoint1", - "cfp2": "deviceCustomFloatingPoint2", - "cfp2Label": "deviceCustomFloatingPoint2Label", - "cfp3": "deviceCustomFloatingPoint3", - "cfp4": "deviceCustomFloatingPoint4", - "c6a1Label": "deviceCustomIPv6Address1Label", - "c6a4": "deviceCustomIPv6Address4", - "C6a4Label": "deviceCustomIPv6Address4Label", - "c6a1": "deviceCustomIPv6Address1", - "c6a3": "deviceCustomIPv6Address3", - "c6a3Label": "deviceCustomIPv6Address3Label", - "cn1": "deviceCustomNumber1", - "cn1Label": "deviceCustomNumber1Label", - "cn2": "DeviceCustomNumber2", - "cn2Label": "deviceCustomNumber2Label", - "cn3": "deviceCustomNumber3", - "cn3Label": "deviceCustomNumber3Label", - "cs1": "deviceCustomString1", - "cs1Label": "deviceCustomString1Label", - "cs2": "deviceCustomString2", - "cs2Label": "deviceCustomString2Label", - "cs3": "deviceCustomString3", - "cs3Label": "deviceCustomString3Label", - "cs4": "deviceCustomString4", - "cs4Label": "deviceCustomString4Label", - "cs5": "deviceCustomString5", - "cs5Label": "deviceCustomString5Label", - "cs6": "deviceCustomString6", - "cs6Label": "deviceCustomString6Label", - "deviceDirection": "deviceDirection", - "deviceDnsDomain": "deviceDnsDomain", - "cat": "deviceEventCategory", - "deviceExternalId": "deviceExternalId", - "deviceFacility": "deviceFacility", - "dvchost": "deviceHostName", - "deviceInboundInterface": "deviceInboundInterface", - "dvcmac": "deviceMacAddress", - "deviceNtDomain": "deviceNtDomain", - "DeviceOutboundInterface": "deviceOutboundInterface", - "DevicePayloadId": "devicePayloadId", - "dvcpid": "deviceProcessId", - "deviceProcessName": "deviceProcessName", - "rt": "deviceReceiptTime", - "dtz": "deviceTimeZone", - "deviceTranslatedAddress": "deviceTranslatedAddress", - "deviceTranslatedZoneExternalID": "deviceTranslatedZoneExternalID", - "deviceTranslatedZoneURI": "deviceTranslatedZoneURI", - "deviceZoneExternalID": "deviceZoneExternalID", - "deviceZoneURI": "deviceZoneURI", - "end": "endTime", - "eventId": "eventId", - "outcome": "eventOutcome", - "externalId": "externalId", - "fileCreateTime": "fileCreateTime", - "fileHash": "fileHash", - "fileId": "fileId", - "fileModificationTime": "fileModificationTime", - "fname": "filename", - "filePath": "filePath", - "filePermission": "filePermission", - "fsize": "fileSize", - "fileType": "fileType", - "flexDate1": "flexDate1", - "flexDate1Label": "flexDate1Label", - "flexString1": "flexString1", - "flexString2": "flexString2", - "flexString1Label": "flexString2Label", - "flexString2Label": "flexString2Label", - "msg": "message", - "oldFileCreateTime": "oldFileCreateTime", - "oldFileHash": "oldFileHash", - "oldFileId": "oldFileId", - "oldFileModificationTime": "oldFileModificationTime", - "oldFileName": "oldFileName", - "oldFilePath": "oldFilePath", - "oldFilePermission": "oldFilePermission", - "oldFileSize": "oldFileSize", - "oldFileType": "oldFileType", - "rawEvent": "rawEvent", - "reason": "Reason", - "requestClientApplication": "requestClientApplication", - "requestContext": "requestContext", - "requestCookies": "requestCookies", - "requestMethod": "requestMethod", - "request": "requestUrl", - "src": "sourceAddress", - "sourceDnsDomain": "sourceDnsDomain", - "slat": "sourceGeoLatitude", - "slong": "sourceGeoLongitude", - "shost": "sourceHostName", - "smac": "sourceMacAddress", - "sntdom": "sourceNtDomain", - "spt": "sourcePort", - "spid": "sourceProcessId", - "sproc": "sourceProcessName", - "sourceServiceName": "sourceServiceName", - "sourceTranslated": "Address", - "sourceTranslatedPort": "sourceTranslatedPort", - "sourceTranslatedZoneExternalID": "sourceTranslatedZoneExternalID", - "sourceTranslatedZoneURI": "sourceTranslatedZoneURI", - "suid": "sourceUserId", - "suser": "sourceUserName", - "spriv": "sourceUserPrivileges", - "sourceZoneExternalID": "sourceZoneExternalID", - "sourceZoneURI": "sourceZoneURI", - "start": "startTime", - "proto": "transportProtocol", - "type": "type", +type mappedField struct { + Target string + Type DataType +} + +// extensionMapping is a mapping of CEF key names to full field names and data +// types. This mapping was generated from tables contained in "Micro Focus +// Security ArcSight Common Event Format Version 25" dated September 28, 2017. +var extensionMapping = map[string]mappedField{ + "agt": { + Target: "agentAddress", + Type: IPType, + }, + "agentDnsDomain": { + Target: "agentDnsDomain", + Type: StringType, + }, + "ahost": { + Target: "agentHostName", + Type: StringType, + }, + "aid": { + Target: "agentId", + Type: StringType, + }, + "amac": { + Target: "agentMacAddress", + Type: MACAddressType, + }, + "agentNtDomain": { + Target: "agentNtDomain", + Type: StringType, + }, + "art": { + Target: "agentReceiptTime", + Type: TimestampType, + }, + "atz": { + Target: "agentTimeZone", + Type: StringType, + }, + "agentTranslatedAddress": { + Target: "agentTranslatedAddress", + Type: IPType, + }, + "agentTranslatedZoneExternalID": { + Target: "agentTranslatedZoneExternalID", + Type: StringType, + }, + "agentTranslatedZoneURI": { + Target: "agentTranslatedZoneURI", + Type: StringType, + }, + "at": { + Target: "agentType", + Type: StringType, + }, + "av": { + Target: "agentVersion", + Type: StringType, + }, + "agentZoneExternalID": { + Target: "agentZoneExternalID", + Type: StringType, + }, + "agentZoneURI": { + Target: "agentZoneURI", + Type: StringType, + }, + "app": { + Target: "applicationProtocol", + Type: StringType, + }, + "cnt": { + Target: "baseEventCount", + Type: IntegerType, + }, + "in": { + Target: "bytesIn", + Type: IntegerType, + }, + "out": { + Target: "bytesOut", + Type: IntegerType, + }, + "customerExternalID": { + Target: "customerExternalID", + Type: StringType, + }, + "customerURI": { + Target: "customerURI", + Type: StringType, + }, + "dst": { + Target: "destinationAddress", + Type: IPType, + }, + "destinationDnsDomain": { + Target: "destinationDnsDomain", + Type: StringType, + }, + "dlat": { + Target: "destinationGeoLatitude", + Type: DoubleType, + }, + "dlong": { + Target: "destinationGeoLongitude", + Type: DoubleType, + }, + "dhost": { + Target: "destinationHostName", + Type: StringType, + }, + "dmac": { + Target: "destinationMacAddress", + Type: MACAddressType, + }, + "dntdom": { + Target: "destinationNtDomain", + Type: StringType, + }, + "dpt": { + Target: "destinationPort", + Type: IntegerType, + }, + "dpid": { + Target: "destinationProcessId", + Type: IntegerType, + }, + "dproc": { + Target: "destinationProcessName", + Type: StringType, + }, + "destinationServiceName": { + Target: "destinationServiceName", + Type: StringType, + }, + "destinationTranslatedAddress": { + Target: "destinationTranslatedAddress", + Type: IPType, + }, + "destinationTranslatedPort": { + Target: "destinationTranslatedPort", + Type: IntegerType, + }, + "destinationTranslatedZoneExternalID": { + Target: "destinationTranslatedZoneExternalID", + Type: StringType, + }, + "destinationTranslatedZoneURI": { + Target: "destinationTranslatedZoneURI", + Type: StringType, + }, + "duid": { + Target: "destinationUserId", + Type: StringType, + }, + "duser": { + Target: "destinationUserName", + Type: StringType, + }, + "dpriv": { + Target: "destinationUserPrivileges", + Type: StringType, + }, + "destinationZoneExternalID": { + Target: "destinationZoneExternalID", + Type: StringType, + }, + "destinationZoneURI": { + Target: "destinationZoneURI", + Type: StringType, + }, + "act": { + Target: "deviceAction", + Type: StringType, + }, + "dvc": { + Target: "deviceAddress", + Type: IPType, + }, + "cfp1Label": { + Target: "deviceCustomFloatingPoint1Label", + Type: StringType, + }, + "cfp3Label": { + Target: "deviceCustomFloatingPoint3Label", + Type: StringType, + }, + "cfp4Label": { + Target: "deviceCustomFloatingPoint4Label", + Type: StringType, + }, + "deviceCustomDate1": { + Target: "deviceCustomDate1", + Type: TimestampType, + }, + "deviceCustomDate1Label": { + Target: "deviceCustomDate1Label", + Type: StringType, + }, + "deviceCustomDate2": { + Target: "deviceCustomDate2", + Type: TimestampType, + }, + "deviceCustomDate2Label": { + Target: "deviceCustomDate2Label", + Type: StringType, + }, + "cfp1": { + Target: "deviceCustomFloatingPoint1", + Type: FloatType, + }, + "cfp2": { + Target: "deviceCustomFloatingPoint2", + Type: FloatType, + }, + "cfp2Label": { + Target: "deviceCustomFloatingPoint2Label", + Type: StringType, + }, + "cfp3": { + Target: "deviceCustomFloatingPoint3", + Type: FloatType, + }, + "cfp4": { + Target: "deviceCustomFloatingPoint4", + Type: FloatType, + }, + "c6a1Label": { + Target: "deviceCustomIPv6Address1Label", + Type: StringType, + }, + "c6a4": { + Target: "deviceCustomIPv6Address4", + Type: IPType, + }, + "C6a4Label": { + Target: "deviceCustomIPv6Address4Label", + Type: StringType, + }, + "c6a1": { + Target: "deviceCustomIPv6Address1", + Type: IPType, + }, + "c6a3": { + Target: "deviceCustomIPv6Address3", + Type: IPType, + }, + "c6a3Label": { + Target: "deviceCustomIPv6Address3Label", + Type: StringType, + }, + "cn1": { + Target: "deviceCustomNumber1", + Type: LongType, + }, + "cn1Label": { + Target: "deviceCustomNumber1Label", + Type: StringType, + }, + "cn2": { + Target: "DeviceCustomNumber2", + Type: LongType, + }, + "cn2Label": { + Target: "deviceCustomNumber2Label", + Type: StringType, + }, + "cn3": { + Target: "deviceCustomNumber3", + Type: LongType, + }, + "cn3Label": { + Target: "deviceCustomNumber3Label", + Type: StringType, + }, + "cs1": { + Target: "deviceCustomString1", + Type: StringType, + }, + "cs1Label": { + Target: "deviceCustomString1Label", + Type: StringType, + }, + "cs2": { + Target: "deviceCustomString2", + Type: StringType, + }, + "cs2Label": { + Target: "deviceCustomString2Label", + Type: StringType, + }, + "cs3": { + Target: "deviceCustomString3", + Type: StringType, + }, + "cs3Label": { + Target: "deviceCustomString3Label", + Type: StringType, + }, + "cs4": { + Target: "deviceCustomString4", + Type: StringType, + }, + "cs4Label": { + Target: "deviceCustomString4Label", + Type: StringType, + }, + "cs5": { + Target: "deviceCustomString5", + Type: StringType, + }, + "cs5Label": { + Target: "deviceCustomString5Label", + Type: StringType, + }, + "cs6": { + Target: "deviceCustomString6", + Type: StringType, + }, + "cs6Label": { + Target: "deviceCustomString6Label", + Type: StringType, + }, + "deviceDirection": { + Target: "deviceDirection", + Type: IntegerType, + }, + "deviceDnsDomain": { + Target: "deviceDnsDomain", + Type: StringType, + }, + "cat": { + Target: "deviceEventCategory", + Type: StringType, + }, + "deviceExternalId": { + Target: "deviceExternalId", + Type: StringType, + }, + "deviceFacility": { + Target: "deviceFacility", + Type: StringType, + }, + "dvchost": { + Target: "deviceHostName", + Type: StringType, + }, + "deviceInboundInterface": { + Target: "deviceInboundInterface", + Type: StringType, + }, + "dvcmac": { + Target: "deviceMacAddress", + Type: MACAddressType, + }, + "deviceNtDomain": { + Target: "deviceNtDomain", + Type: StringType, + }, + "DeviceOutboundInterface": { + Target: "deviceOutboundInterface", + Type: StringType, + }, + "DevicePayloadId": { + Target: "devicePayloadId", + Type: StringType, + }, + "dvcpid": { + Target: "deviceProcessId", + Type: IntegerType, + }, + "deviceProcessName": { + Target: "deviceProcessName", + Type: StringType, + }, + "rt": { + Target: "deviceReceiptTime", + Type: TimestampType, + }, + "dtz": { + Target: "deviceTimeZone", + Type: StringType, + }, + "deviceTranslatedAddress": { + Target: "deviceTranslatedAddress", + Type: IPType, + }, + "deviceTranslatedZoneExternalID": { + Target: "deviceTranslatedZoneExternalID", + Type: StringType, + }, + "deviceTranslatedZoneURI": { + Target: "deviceTranslatedZoneURI", + Type: StringType, + }, + "deviceZoneExternalID": { + Target: "deviceZoneExternalID", + Type: StringType, + }, + "deviceZoneURI": { + Target: "deviceZoneURI", + Type: StringType, + }, + "end": { + Target: "endTime", + Type: TimestampType, + }, + "eventId": { + Target: "eventId", + Type: LongType, + }, + "outcome": { + Target: "eventOutcome", + Type: StringType, + }, + "externalId": { + Target: "externalId", + Type: StringType, + }, + "fileCreateTime": { + Target: "fileCreateTime", + Type: TimestampType, + }, + "fileHash": { + Target: "fileHash", + Type: StringType, + }, + "fileId": { + Target: "fileId", + Type: StringType, + }, + "fileModificationTime": { + Target: "fileModificationTime", + Type: TimestampType, + }, + "fname": { + Target: "filename", + Type: StringType, + }, + "filePath": { + Target: "filePath", + Type: StringType, + }, + "filePermission": { + Target: "filePermission", + Type: StringType, + }, + "fsize": { + Target: "fileSize", + Type: IntegerType, + }, + "fileType": { + Target: "fileType", + Type: StringType, + }, + "flexDate1": { + Target: "flexDate1", + Type: TimestampType, + }, + "flexDate1Label": { + Target: "flexDate1Label", + Type: StringType, + }, + "flexString1": { + Target: "flexString1", + Type: StringType, + }, + "flexString2": { + Target: "flexString2", + Type: StringType, + }, + "flexString1Label": { + Target: "flexString1Label", + Type: StringType, + }, + "flexString2Label": { + Target: "flexString2Label", + Type: StringType, + }, + "msg": { + Target: "message", + Type: StringType, + }, + "oldFileCreateTime": { + Target: "oldFileCreateTime", + Type: TimestampType, + }, + "oldFileHash": { + Target: "oldFileHash", + Type: StringType, + }, + "oldFileId": { + Target: "oldFileId", + Type: StringType, + }, + "oldFileModificationTime": { + Target: "oldFileModificationTime", + Type: TimestampType, + }, + "oldFileName": { + Target: "oldFileName", + Type: StringType, + }, + "oldFilePath": { + Target: "oldFilePath", + Type: StringType, + }, + "oldFilePermission": { + Target: "oldFilePermission", + Type: StringType, + }, + "oldFileSize": { + Target: "oldFileSize", + Type: IntegerType, + }, + "oldFileType": { + Target: "oldFileType", + Type: StringType, + }, + "rawEvent": { + Target: "rawEvent", + Type: StringType, + }, + "reason": { + Target: "Reason", + Type: StringType, + }, + "requestClientApplication": { + Target: "requestClientApplication", + Type: StringType, + }, + "requestContext": { + Target: "requestContext", + Type: StringType, + }, + "requestCookies": { + Target: "requestCookies", + Type: StringType, + }, + "requestMethod": { + Target: "requestMethod", + Type: StringType, + }, + "request": { + Target: "requestUrl", + Type: StringType, + }, + "src": { + Target: "sourceAddress", + Type: IPType, + }, + "sourceDnsDomain": { + Target: "sourceDnsDomain", + Type: StringType, + }, + "slat": { + Target: "sourceGeoLatitude", + Type: DoubleType, + }, + "slong": { + Target: "sourceGeoLongitude", + Type: DoubleType, + }, + "shost": { + Target: "sourceHostName", + Type: StringType, + }, + "smac": { + Target: "sourceMacAddress", + Type: MACAddressType, + }, + "sntdom": { + Target: "sourceNtDomain", + Type: StringType, + }, + "spt": { + Target: "sourcePort", + Type: IntegerType, + }, + "spid": { + Target: "sourceProcessId", + Type: IntegerType, + }, + "sproc": { + Target: "sourceProcessName", + Type: StringType, + }, + "sourceServiceName": { + Target: "sourceServiceName", + Type: StringType, + }, + "sourceTranslatedAddress": { + Target: "sourceTranslatedAddress", + Type: IPType, + }, + "sourceTranslatedPort": { + Target: "sourceTranslatedPort", + Type: IntegerType, + }, + "sourceTranslatedZoneExternalID": { + Target: "sourceTranslatedZoneExternalID", + Type: StringType, + }, + "sourceTranslatedZoneURI": { + Target: "sourceTranslatedZoneURI", + Type: StringType, + }, + "suid": { + Target: "sourceUserId", + Type: StringType, + }, + "suser": { + Target: "sourceUserName", + Type: StringType, + }, + "spriv": { + Target: "sourceUserPrivileges", + Type: StringType, + }, + "sourceZoneExternalID": { + Target: "sourceZoneExternalID", + Type: StringType, + }, + "sourceZoneURI": { + Target: "sourceZoneURI", + Type: StringType, + }, + "start": { + Target: "startTime", + Type: TimestampType, + }, + "proto": { + Target: "transportProtocol", + Type: StringType, + }, + "type": { + Target: "type", + Type: IntegerType, + }, // This is an ArcSight categorization field that is commonly used, but its // short name is not contained in the documentation used for the above list. - "catdt": "categoryDeviceType", + "catdt": { + Target: "categoryDeviceType", + Type: StringType, + }, + "mrt": { + Target: "managerReceiptTime", + Type: TimestampType, + }, } diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go new file mode 100644 index 000000000000..c8e7e43916d3 --- /dev/null +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -0,0 +1,141 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cef + +import ( + "net" + "strconv" + "time" + + "github.com/pkg/errors" + + "github.com/elastic/beats/libbeat/common" +) + +// DataType specifies one of CEF data types. +type DataType uint8 + +// List of DataTypes. +const ( + Unset DataType = iota + IntegerType + LongType + FloatType + DoubleType + StringType + BooleanType + IPType + MACAddressType + TimestampType +) + +// ToType converts the given value string value to the specified data type. +func ToType(value string, typ DataType) (interface{}, error) { + switch typ { + case StringType: + return value, nil + case LongType: + return toLong(value) + case IntegerType: + return toInteger(value) + case FloatType: + return toFloat(value) + case DoubleType: + return toDouble(value) + case BooleanType: + return toBoolean(value) + case IPType: + return toIP(value) + case MACAddressType: + return toMACAddress(value) + case TimestampType: + return toTimestamp(value) + default: + return nil, errors.Errorf("invalid data type: %v", typ) + } +} + +func toLong(v string) (int64, error) { + return strconv.ParseInt(v, 0, 64) +} + +func toInteger(v string) (int32, error) { + i, err := strconv.ParseInt(v, 0, 32) + return int32(i), err +} + +func toFloat(v string) (float32, error) { + f, err := strconv.ParseFloat(v, 32) + return float32(f), err +} + +func toDouble(v string) (float64, error) { + f, err := strconv.ParseFloat(v, 64) + return f, err +} + +func toBoolean(v string) (bool, error) { + return strconv.ParseBool(v) +} + +func toIP(v string) (string, error) { + // This is validating that the value is an IP. + if net.ParseIP(v) != nil { + return v, nil + } + return "", errors.New("value is not a valid IP address") +} + +// toMACAddress accepts a MAC addresses as hex characters separated by colon, +// dot, or dash. It returns lowercase hex characters separated by colons. +func toMACAddress(v string) (string, error) { + // CEF specifies that MAC addresses are colon separated, but this will be a + // little more liberal. + hw, err := net.ParseMAC(v) + if err != nil { + return "", err + } + return hw.String(), nil +} + +var timeLayouts = []string{ + // MMM dd HH:mm:ss.SSS zzz + "Jan _2 15:04:05.000 MST", + // MMM dd HH:mm:sss.SSS + "Jan _2 15:04:05.000", + // MMM dd HH:mm:ss zzz + "Jan _2 15:04:05 MST", + // MMM dd HH:mm:ss + "Jan _2 15:04:05", + // MMM dd yyyy HH:mm:ss.SSS zzz + "Jan _2 2006 15:04:05.000 MST", + // MMM dd yyyy HH:mm:ss.SSS + "Jan _2 2006 15:04:05.000", + // MMM dd yyyy HH:mm:ss zzz + "Jan _2 2006 15:04:05 MST", + // MMM dd yyyy HH:mm:ss + "Jan _2 2006 15:04:05", +} + +func toTimestamp(v string) (common.Time, error) { + if unixMs, err := toLong(v); err == nil { + return common.Time(time.Unix(0, unixMs*int64(time.Millisecond))), nil + } + + for _, layout := range timeLayouts { + ts, err := time.ParseInLocation(layout, v, time.UTC) + if err == nil { + // Use current year if no year is zero. + if ts.Year() == 0 { + currentYear := time.Now().In(ts.Location()).Year() + ts = ts.AddDate(currentYear, 0, 0) + } + + return common.Time(ts), nil + } + } + + return common.Time(time.Time{}), errors.New("value is not a valid timestamp") +} diff --git a/x-pack/filebeat/processors/decode_cef/decode_cef.go b/x-pack/filebeat/processors/decode_cef/decode_cef.go index d0b4b114b345..45853f5378a6 100644 --- a/x-pack/filebeat/processors/decode_cef/decode_cef.go +++ b/x-pack/filebeat/processors/decode_cef/decode_cef.go @@ -104,7 +104,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.ECS { writeCEFHeaderToECS(&ce, event) - for key, v := range ce.Extensions { + for key, field := range ce.Extensions { mapping, found := ecsExtensionMapping[key] if !found { continue @@ -112,7 +112,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { // Apply translation function or use a standard type translation (e.g. string to long). if mapping.Translate != nil { - translatedValue, err := mapping.Translate(v) + translatedValue, err := mapping.Translate(field) if err != nil { cefErrors = append(cefErrors, errors.Wrap(err, key)) continue @@ -120,13 +120,10 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if translatedValue != nil { event.PutValue(mapping.Target, translatedValue) } - } else if mapping.Type != unset { - translatedValue, err := toType(v, mapping.Type) - if err != nil { - cefErrors = append(cefErrors, errors.Wrap(err, key)) - continue - } - event.PutValue(mapping.Target, translatedValue) + } else if field.Interface != nil { + event.PutValue(mapping.Target, field.Interface) + } else { + event.PutValue(mapping.Target, field.String) } } } @@ -168,8 +165,12 @@ func toCEFObject(cefEvent *cef.Event) common.MapStr { if len(cefEvent.Extensions) > 0 { extensions := make(common.MapStr, len(cefEvent.Extensions)) cefObject.Put("extensions", extensions) - for k, v := range cefEvent.Extensions { - extensions.Put(k, v) + for k, field := range cefEvent.Extensions { + if field.Interface != nil { + extensions.Put(k, field.Interface) + } else { + extensions.Put(k, field.String) + } } } diff --git a/x-pack/filebeat/processors/decode_cef/decode_cef_test.go b/x-pack/filebeat/processors/decode_cef/decode_cef_test.go index df81740d6949..a23663861bb3 100644 --- a/x-pack/filebeat/processors/decode_cef/decode_cef_test.go +++ b/x-pack/filebeat/processors/decode_cef/decode_cef_test.go @@ -143,7 +143,7 @@ func TestProcessorRun(t *testing.T) { }, } - evt, err = dec.Run(evt) + _, err = dec.Run(evt) if assert.Error(t, err) { assert.Contains(t, err.Error(), "does not contain a CEF header") } diff --git a/x-pack/filebeat/processors/decode_cef/fields.go b/x-pack/filebeat/processors/decode_cef/fields.go index 9724be7d95a2..7eb1872509a7 100644 --- a/x-pack/filebeat/processors/decode_cef/fields.go +++ b/x-pack/filebeat/processors/decode_cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetDecodeCef returns asset data. // This is the base64 encoded gzipped contents of processors/decode_cef. func AssetDecodeCef() string { - return "eJy0lE9v00AQxe/5FHMEKY6KQPyJFA6ERFQCCam013S7+xwPsXfN7jipvz1aO3ZcEqSogT1Eynj85jdvPZPQBvWUNNIRkbDkmNJnaGdA88WSSu80QnCeUkZuwojIIGjPpbCzU/o4IiKau6JwlhZbWKGl84USejFfLF+SUaImI9q/PW2yE7KqQFczHqlLTGntXVXuIyeKxPOpJoNUVbmQZKB705CuNNL7AerOsyCQyvOmPqXeFU3+fLHspQqEoNYgcSQZB7pvRNzDT2iZ0LWQdlYU29C9SRmUQWcEKWvik14PjwIb2Nm+53iGfQ9738LH3D7eebBBvXPeDOJ/cSKeu1aEXNozhhKaU9Yq5lMVYOihbp7u+52MjlgMtqwx2cIa5y8lihodUCtMkimJt2MqDXMeS5stl8F8b0Uup/kfl7Xv8Dk4iGO20rkKYcXmMqpby78qEBtY4ZTR311TpFE8ARKwhWepz6iNR1WUcancwdfJF15n54FdF6XzoqzGE6IJ/chAW5WzoSCe7Tr+qeK0e9Ct3Vi3s2P66nbjJ3LfYLgqxhQBxs3s9jxDSbaCNfxQ8yp5PTuSe5O8nXWS7xJ6PzvofkheXc0O4sfmxd/LLu0mc16GCU8tOi7Z76ZwVLhdeINwG1g9A2vu8hy649mgThobqVTsA2nlPSNa3C+rw8ps1uQevP/IXOU1JgG++eoHtp1iG3L1VDftu+2QcbvJW9lTjh3GLAjbZoP+8+qi/BryR/XfAQAA//+1OzaZ" + return "eJzsPV1z20aS7/4VXboHO1WUIvlrb3WVvdKKVswry+ZZUnJ1dVXJEGiScxrMIDMDUsiv35ovECAJkAJAJ7aiB5dJAv09Pd2NnsYx3GN+DhFOnwFoqhmewxAjESNcvruCVIoIlRISphRZrJ4BxKgiSVNNBT+HfzwDALgUSSI4vFsg13AlZEI0vLh8d/UdxESTk2fg7z63Vx8DJwkGnOZP5ymew0yKLPXfbEFi/v6ZQ4xTkjENeo7wa2wp/SXC6a8lUpeSalRAGLP4YSpFYq+/fHdVgEpQKTJD0AL0nCr41QIRk//HSJ/ASEMkuCaUq3AnzJHEGAQBhMfmlwIePmjkigpe8Gz+ynyXeV+gNNcW3wcZ3GO+FDIufV8jCfP3kwMCYlrQqFKM6JRGxFwPmcIYJrn91fN78myDlhgXNMKTBfJYyK4UGRiBIAcY9Jxoo504izDejxZ3te5GzNgB6U7NIZTlOWxDDppl9kvEiFK/0LgbVXec/pYh0Bi5plOKhe4sEgtxCyEKFyipzvfAjQ8kSY1T+Qllfvyezub7ETZKUiE14RFWKDqB2znCgjAag9KS8pn5kJnVLhHu+D0XSz6AD2I5qIC7xphmyQAMAQO7dgt6yiAp1zhDWYZ5evzqhw1wr4/f/hBA/u0Y/v2HFdy/H5+d/rACvik88283pd3MhdTlC6oi2kRZ+Ca1gbjsdHegvRSMYRTw3WN+bMUEKaFSQUSkpGhEWDijlUu0bvCkgsZ68V/sD+cwJUyVhbLuNsvMkBlyfRHHEpWqXBBYouna1xWejLJHYyAOQJDchYxu6GxuvT7HSAtZrEyzqfiluS7fDbKGXA1FQijfStimkrdSN/x4A7GFYkH3TOJ7ofTHqgk+msK5UPoApI3WET+KKAsCRsOeibomUZOx7Unc9cXlgUzuo+5kcQ2QP2OENNW3tMZYYqLXf9jgW9MEgWhYzmk0B8qnNjg0LoFMRKZLW82SKJAG42IVs2yKqEkShtD/FbyTZTsjslT/LnjfBn4rCVeMaIxb+6+9oBspvHvQKDlho2H/llHFdPd5dAAUedqHIvO0jQ4b6PppIxZ8NGmLaiTYk20dWucH0XSaMp+rjKXQIhKsrWAvVqCA4QKZkZ+FOAgxaDmqe397Ox7Yf28GcHPzfvFyALfIOOoBjD+NBzC6Hl+Yfy/MBSauUwIEr1HAhCi0ye+lyLjeygITfNZIP0TmXiBKiYiapQVLqucuN/Wh73uxhITw3PonZT2m/VmZrdh5UTFRKBcY/ydYUiAiHCYIIqHagKRToBqogrM6TnKNarTdvHex8DFLJi6BsFBAGy8xRSltVDgRGY8HIJERTRc+70ZQIpOR/RSj0pQ7DbqrBFdzmg4gQcJNpG+Xhc3oDetTJpbmW5vdbwXTxOOnrJ2empgUmbZctmDyBK6EDIY6sDcZ+MALdK6SUebZJbUreBVkNbxHmdIiQXkgTxHA9+0oSmy2j/xHIclVG6ILoZm1sFVMInGKUhnBUg6Em7yBo14Kee+SRhfNmPVkf1y8DoBqpF9C2XemkBJZVDoiYaxII0wzxnL4LSPMsB1XsooXV/89/PjdbkJ/RPGBaKqzuCYKFNmE7YwDmQNBOWHODTsTdmHhmjaeq3KCNkGzJPeQqCFU8FlnSj2MQ5LaNQdrsGRrwYQ/zoDVXGQsNhsF2cNmtuxRVRq4iHEAyzlyIPaDXSELQhmZsDrPVALQPeW6oQ8QCSb4scIUpSV1jg8kxogmhHm3uoemOmZXVsg/Ux6LpdqW02/xQbtpGgvZbu9a1blSIXUQgo2HJqiXiBxObazz9s2bV2/2IMRFqDVp+y5qxlIsaOxNeJW2l0XiQ+CtBudjosq2Sacr0y/K9wHIaAhnp28GcHR2+ubIWKQvw/of92a3a/GkrH9L6nO1jend9NygXNAIu9KjHBjQRM5Qh+S7iDp3ktFDUrvu0HQBctO37bU7P4Lo1qvJ3AhkqlGamNoG4wXQ/zCedWWXBKZU4pIwdgI/bV+Ap4aPPdfdF0n0a/G1j+2sud19HlnhGD2uAIOBvFJwxS8qhRrmxOyvaD/SGTdZsdV7yJ53S+1OoWxfYWzYcjOF0iya0XDdHXG4+zj6HxfOSyG0u5QqmCFHScxGu+7a7BWjIZzux9CBoojAksFpIgWqgsO0v9T646orO4F3CaEs7Gw+9RZTjRwSkqY2L/RZS2DGl/5deCIxoik1a90EECaZjWlMtM2k0kyHu6kKDxj2EdlY0gVlOMNOBV2dpzQKEaJj7OgiTiinSkuihTwawJFBd+TKB0c/Zqj0URBms+ifm10rUHkCo2BHVacSabqgOgd8wCgzuhB8zdKWIawr8HmFrYkEVjIxO9MaI7vF+mXcUM/O52Aex+ymF/Y5WetilnvKpsk98lAL9w9/G5H2lxrbiKCSFe+TUzQRd2lLA1dMEE35bCwo12cfyATbV/wY8/WG0JIxJwuTwURCSlSp4DHlM2AGh/cP8I5Ecx97qeBqnG/xD5PNUnVYJl4WaSZToYqIrYzxsfy+emL8vv72+R0SjWetno598k+XlsKVczVJ0qK3KOTKZpUlpPjeFUAFcKFt7Tw3vxOeg9BzE1hwtxnG1PoPIvN9OXgainr51Svq5bevqOoO0bKQ53U2FZmEqQcIqYH4R2iuwlKNEX7VLD0xq3z17anw9TfB0mi8eOuD4CewpZW43a6+5pi/rDoDqgj3/1jFPYGgsWym347itnvFr5OVb98GXR/DdvPbVfkOEfFcYtGh0LvC4E4hqJQY7lnuWnAQ74FAIiQWBx0GpXtAZWnKKMYOq3sCmQqlaNNjxw2ZfJvKH24wuj0SfdrKfwKhrGN0u7d+2sp/Am7/xoLd7vb34NHrX9EHT+BXrncvjqei9+0e/8nq/Qk4e8fodmf/ZPX+ZPz89rLAk9X7EygtOEbf/KX3ijieit7f/qX3iji+Zb0PqcT6JpOdx414vuU05tLqNgC29IQDRRCJJMl4OGI1J8q1p4Q+cuZPppT6oYwOhdQYwzEcnR7Zxht/DgiEhKMz91U4NdPM7Z/8uISh0Z0AIxpnQuZt6fyMqUSFXDvriDy4VROSbwcSks5svxKfhdYgX+JRvsMuU2iupBLEkgdA9HenPxXNMSFm6do5EnSah4bqd/6w3NH314JTLeT3Q6ruv/+MJK7vBLPshwaw1j2WF07U1sNkdjAFyzdb5Wxrkmug1O5U2M5eZXPLFYkoq86seLQBTT2MGvTV7s+bXDExsyuFcMCHlNGI6hWM9SZKXKDM92CkjwP8fZ77sPpoeeTD3DtyLmHENcopidq3swYAIHjptE5KonvUxuHYE3RorvJnavdoqev5KAp5/FEU2+J/6FMo5Xa/Rko+eWf9hbTFcKr3VdWY5EyQuL372ZyFE1pFUwe64RxKI2GHOCYTDq74bXqbW3wEbV38iQfhLKrhpM4FLw5iJ/a8+wQrnKzRrpz7RK5lHjrpG1npf1xF+aiJO6Xgm9WL1uvy0Ir1I6HX19cQx5DneQ7v358nyblRl4SEMkYVRoLHChTlEQKmIprDi/8iHM6UhrO//+30uyZW+5h0YVi1Iy6Ckbc1oUOf/9lsRe50BKhK8kE71zdRfZmzM05i3ZvYDy6c7iJpbunvLgjkcc8OpfAdaz7FGTTyuEdPYh1JxfMWJ0IkmtysWOUmJZuaNBWVqp+cYGlsuY+FQ0TEh/ZmL7OqKuafOM3Y1Ywmj25yPfa3T5mORPuNa0hVykjuXI5wsAaQqcwfzILnKovM1vTcCPv5lFCWSXxeR1Hn9OfWbfBhaCPhW5O82znmNr0OhFIeSSTKXONjycG23ILrushuShleSiQa25u6MXMb/RtZGoB2a4ws1LrM3lz2nqh5W3mZe53VGkgNSDpkpNxoZF2aDiFEYS0ZnqlJehpouBZxMZezbzEzojQkFkGjsHmHKO9jKV+wiAVnObww8hCZBqoVpETP6yok5pYx0a11fZUxZhEEd2kADozts8yW4SxNNgSlWiGbNtGBMqGqyxSnFQRVlkkDzhv6+3bR73Kb5sY9cXQameUHZVkxvkhpigNQwuRiA0AdndSEo1OGD+2PwFysH6jYLDqT0iW+8oyqrvYc45TanX0Nal1NmjBmOQiF2j5r1MZPr0rAxl/7E6PM7Py+pmriljAyx9brLF5XlDE8ThBM7DLJwQ3nVZBxZnMtNPtSfV9joZdOFXA3uKUobz+ukL0SbAON/bSjfJHu896fYvzxFtJPU8hf0u8i/a9jhXbrlDkslX5edocQj8gJ1dKYTBgKP6MLQ5y1rRg1oUytDyw9geuMaXrMKEdbpaKowri9Yp73JIfMRub/ZxJPezPHJdh7fDm4dqapYPFVn5G5YPG+kblH3UdwbnMrj7kZW99Rehnz/rG6J6bncL0i+33CdU9Gl7psOWLfTwO9BugBZTlIL5KH3YF6IOkQsfp+0uglZN8PVR+Re8Xc94/gJVna59a9Vvc+I1HdZuRKCwEIB5LFVJdmRPv6NMaVx61wNCExpEQpA/3I9hdk7m0AdhRKGLzi/ABhStinnhxQSiHN5RJ1JjlExjWsHoKfPpy9fPW67sG3xN8yVPqSUeS6NIG2U41XoTy+sNOLt3k0j3IHQYJrfGirUxiuPqx6JLg2JK2NQvT4ikIVxvCiMqTm/e3tGD6jHZAq60wwEC3uafuhPP729kK7Rj0XnYp3ltnEgnFVPBPVRm6CHdx9/tCM/062DrBG3DeLuLCJcEeKBzwojUiqvtXm7vMHT2AoOptvfIDrrwzP6OwsZRPELJGxGk7c6NneHgOFsbndxs84KH/uBiJHY+dRq7uAdxuP2gS9a1PKP9Z+hM62sA6v37YXT0657WUDY7LRBhP2FXUOz+dCafdgwfzvxOE9iURS94DBoWzVkFK8hOfo9PT8ND5/e3pOpudnk/O3Z0fNkUyX3hVH8KF6V8IzP6+J5uYVd9EhBqfunNvoUXfqAbmttH54jncPR92DoEMMM63S10hF3yNM5+6BqWvPtYUeayeP6RZ0hB22qaHszDo0M6yT2tq+L8p27WeaTtCKa0X0JF8fQNjDVNN1Fg7YcrAN1Vc1y9Qx0OsYU2+I5Qmmew379PdV38x28NmnKwH0OPZ0TQRu4um2uaU2adxrbKlCHjteW88sXbH6B48rHen1DuySwFrOKfUt7HvMKd1vEqmj6OCu46DzR0MY08lBaCJ76H8sGgwKza3tUdIRZNF9ob5Huw+Z7aXre4LWVv8HkqM8fr1KcLMiFQ6PisprJlymQGXR3GTDt5djw9zdcFyjFF1X29u1KZ/a994o+3IhJ/0BnPnvyGwmcWY85wBe+u/ssST3Rhm3hl+Fi+0TMe/ZfRWg+logY5IrNApeGArhdD1b/bdVr5Z3d1s5DmdW3HGULrXNoX9la56Wcic4hrEUD/kARsObAfyMEzBhJMrt8g/UfLJv9m1Libt7PWKj/qlQtRRJi9cuEQ4iDZGnyjUmA9vXbmQ98NVx1FHdu3o85f/EOVnQyqt5H0W7nyYsJBCYeFibPU08bOMjE8MvfSTtosDYuipf13dvSG4m+Rajue3ya+0sAwBPgS2nvcCT2Ql8PxQ3dXWUqun9uPZu00dR8KMLU4q2aAMLGL1HuApRbzMNN3TG7TMk3v6UxOWcSBJpLM5t+YiL1rwdd8cS6NYv6W+vviHY6URlJtUbgO+RHFhj0xqTVNepKiGczFB27dr/OWxWFzJS1jW9u7levUhyXTTVHf3EJ44npc64beKoRAiBjJu1pLMuLq4iLo/H7xu7e4PHGvZ/BQAA//9XpFa2" } diff --git a/x-pack/filebeat/processors/decode_cef/keys.ecs.go b/x-pack/filebeat/processors/decode_cef/keys.ecs.go index 9bf4175e1e65..efb320caab40 100644 --- a/x-pack/filebeat/processors/decode_cef/keys.ecs.go +++ b/x-pack/filebeat/processors/decode_cef/keys.ecs.go @@ -5,170 +5,53 @@ package decode_cef import ( - "net" - "strconv" "strings" - "time" "github.com/pkg/errors" - "github.com/elastic/beats/libbeat/common" -) - -type dataType uint8 - -// List of dataTypes. -const ( - unset dataType = iota - Integer - Long - Float - Double - String - Boolean - IP - Timestamp -) - -type ecsMode uint8 - -// List of modes. -const ( - copyMode ecsMode = iota - renameMode + "github.com/elastic/beats/x-pack/filebeat/processors/decode_cef/cef" ) type mappedField struct { Target string - Type dataType - Translate func(in string) (interface{}, error) + Translate func(in *cef.Field) (interface{}, error) } var ecsExtensionMapping = map[string]mappedField{ - "agentAddress": { - Target: "agent.ip", - Type: IP, - }, - "agentDnsDomain": { - Target: "agent.name", - Type: String, - }, - "agentHostName": { - Target: "agent.name", - Type: String, - }, - "agentId": { - Target: "agent.id", - Type: String, - }, - "agentMacAddress": { - Target: "agent.mac", - Type: String, - }, - "agentReceiptTime": { - Target: "event.created", - Type: Timestamp, - }, - "agentType": { - Target: "agent.type", - Type: String, - }, - "agentVersion": { - Target: "agent.version", - Type: String, - }, - "applicationProtocol": { - Target: "network.application", - Type: String, - }, - "bytesIn": { - Target: "source.bytes", - Type: Integer, - }, - "bytesOut": { - Target: "destination.bytes", - Type: Integer, - }, - "customerExternalID": { - Target: "organization.id", - Type: String, - }, - "customerURI": { - Target: "organization.name", - Type: String, - }, - "destinationAddress": { - Target: "destination.ip", - Type: IP, - }, - "destinationDnsDomain": { - Target: "destination.domain", - Type: String, - }, - "destinationGeoLatitude": { - Target: "destination.geo.location.lat", - Type: Double, - }, - "destinationGeoLongitude": { - Target: "destination.geo.location.lon", - Type: Double, - }, - "destinationHostName": { - Target: "destination.domain", - Type: String, - }, - "destinationMacAddress": { - Target: "destination.mac", - Type: String, - }, - "destinationPort": { - Target: "destination.port", - Type: Integer, - }, - "destinationProcessId": { - Target: "destination.process.pid", - Type: Integer, - }, - "destinationProcessName": { - Target: "destination.process.name", - Type: String, - }, - "destinationServiceName": { - Target: "destination.service.name", - Type: String, - }, - "destinationTranslatedAddress": { - Target: "destination.nat.ip", - Type: IP, - }, - "destinationTranslatedPort": { - Target: "destination.nat.port", - Type: Integer, - }, - "destinationUserId": { - Target: "destination.user.id", - Type: String, - }, - "destinationUserName": { - Target: "destination.user.name", - Type: String, - }, - "destinationUserPrivileges": { - Target: "destination.user.group", - Type: String, - }, - "deviceAction": { - Target: "event.action", - Type: String, - }, - "deviceAddress": { - Target: "observer.ip", - Type: IP, - }, + "agentAddress": {Target: "agent.ip"}, + "agentDnsDomain": {Target: "agent.name"}, + "agentHostName": {Target: "agent.name"}, + "agentId": {Target: "agent.id"}, + "agentMacAddress": {Target: "agent.mac"}, + "agentReceiptTime": {Target: "event.created"}, + "agentType": {Target: "agent.type"}, + "agentVersion": {Target: "agent.version"}, + "applicationProtocol": {Target: "network.application"}, + "bytesIn": {Target: "source.bytes"}, + "bytesOut": {Target: "destination.bytes"}, + "customerExternalID": {Target: "organization.id"}, + "customerURI": {Target: "organization.name"}, + "destinationAddress": {Target: "destination.ip"}, + "destinationDnsDomain": {Target: "destination.domain"}, + "destinationGeoLatitude": {Target: "destination.geo.location.lat"}, + "destinationGeoLongitude": {Target: "destination.geo.location.lon"}, + "destinationHostName": {Target: "destination.domain"}, + "destinationMacAddress": {Target: "destination.mac"}, + "destinationPort": {Target: "destination.port"}, + "destinationProcessId": {Target: "destination.process.pid"}, + "destinationProcessName": {Target: "destination.process.name"}, + "destinationServiceName": {Target: "destination.service.name"}, + "destinationTranslatedAddress": {Target: "destination.nat.ip"}, + "destinationTranslatedPort": {Target: "destination.nat.port"}, + "destinationUserId": {Target: "destination.user.id"}, + "destinationUserName": {Target: "destination.user.name"}, + "destinationUserPrivileges": {Target: "destination.user.group"}, + "deviceAction": {Target: "event.action"}, + "deviceAddress": {Target: "observer.ip"}, "deviceDirection": { Target: "network.direction", - Translate: func(in string) (interface{}, error) { - switch in { + Translate: func(in *cef.Field) (interface{}, error) { + switch in.String { case "0": return "inbound", nil case "1": @@ -178,274 +61,60 @@ var ecsExtensionMapping = map[string]mappedField{ } }, }, - "deviceDnsDomain": { - Target: "observer.hostname", - Type: String, - }, - "deviceHostName": { - Target: "observer.hostname", - Type: String, - }, - "deviceMacAddress": { - Target: "observer.mac", - Type: String, - }, - "devicePayloadId": { - Target: "event.id", - Type: String, - }, - "deviceProcessId": { - Target: "process.pid", - Type: Integer, - }, - "deviceProcessName": { - Target: "process.name", - Type: String, - }, - "deviceReceiptTime": { - Target: "@timestamp", - Type: Timestamp, - }, - "deviceTimeZone": { - Target: "event.timezone", - Type: String, - }, - "endTime": { - Target: "event.end", - Type: Timestamp, - }, - "eventId": { - Target: "event.id", - Type: Long, - }, - "eventOutcome": { - Target: "event.outcome", - Type: String, - }, - "fileCreateTime": { - Target: "file.created", - Type: Timestamp, - }, - "fileId": { - Target: "file.inode", - Type: String, - }, - "fileModificationTime": { - Target: "file.mtime", - Type: Timestamp, - }, - "filename": { - Target: "file.name", - Type: String, - }, - "filePath": { - Target: "file.path", - Type: String, - }, - "filePermission": { - Target: "file.group", - Type: String, - }, - "fileSize": { - Target: "file.size", - Type: Integer, - }, - "fileType": { - Target: "file.type", - Type: String, - }, - "message": { - Target: "message", - Type: String, - }, - "requestClientApplication": { - Target: "user_agent.original", - Type: String, - }, + "deviceDnsDomain": {Target: "observer.hostname"}, + "deviceHostName": {Target: "observer.hostname"}, + "deviceMacAddress": {Target: "observer.mac"}, + "devicePayloadId": {Target: "event.id"}, + "deviceProcessId": {Target: "process.pid"}, + "deviceProcessName": {Target: "process.name"}, + "deviceReceiptTime": {Target: "@timestamp"}, + "deviceTimeZone": {Target: "event.timezone"}, + "endTime": {Target: "event.end"}, + "eventId": {Target: "event.id"}, + "eventOutcome": {Target: "event.outcome"}, + "fileCreateTime": {Target: "file.created"}, + "fileId": {Target: "file.inode"}, + "fileModificationTime": {Target: "file.mtime"}, + "filename": {Target: "file.name"}, + "filePath": {Target: "file.path"}, + "filePermission": {Target: "file.group"}, + "fileSize": {Target: "file.size"}, + "fileType": {Target: "file.type"}, + "message": {Target: "message"}, + "requestClientApplication": {Target: "user_agent.original"}, "requestContext": { Target: "http.request.referrer", - Translate: func(in string) (interface{}, error) { + Translate: func(in *cef.Field) (interface{}, error) { // Does the string look like URL? - if strings.HasPrefix(in, "http") { - return in, nil + if strings.HasPrefix(in.String, "http") { + return in.String, nil } return nil, nil }, }, - "requestMethod": { - Target: "http.request.method", - Type: String, - }, - "requestUrl": { - Target: "url.original", - Type: String, - }, - "sourceAddress": { - Target: "source.ip", - Type: IP, - }, - "sourceDnsDomain": { - Target: "source.domain", - Type: String, - }, - "sourceGeoLatitude": { - Target: "source.geo.location.lat", - Type: Double, - }, - "sourceGeoLongitude": { - Target: "source.geo.location.lon", - Type: Double, - }, - "sourceHostName": { - Target: "source.domain", - Type: String, - }, - "sourceMacAddress": { - Target: "source.mac", - Type: String, - }, - "sourcePort": { - Target: "source.port", - Type: Integer, - }, - "sourceProcessId": { - Target: "source.process.pid", - Type: Integer, - }, - "sourceProcessName": { - Target: "source.process.name", - Type: String, - }, - "sourceServiceName": { - Target: "source.service.name", - Type: String, - }, - "sourceTranslatedAddress": { - Target: "source.nat.ip", - Type: IP, - }, - "sourceTranslatedPort": { - Target: "source.nat.port", - Type: Integer, - }, - "sourceUserId": { - Target: "source.user.id", - Type: String, - }, - "sourceUserName": { - Target: "source.user.name", - Type: String, - }, - "sourceUserPrivileges": { - Target: "source.user.group", - Type: String, - }, - "startTime": { - Target: "event.start", - Type: Timestamp, - }, + "requestMethod": {Target: "http.request.method"}, + "requestUrl": {Target: "url.original"}, + "sourceAddress": {Target: "source.ip"}, + "sourceDnsDomain": {Target: "source.domain"}, + "sourceGeoLatitude": {Target: "source.geo.location.lat"}, + "sourceGeoLongitude": {Target: "source.geo.location.lon"}, + "sourceHostName": {Target: "source.domain"}, + "sourceMacAddress": {Target: "source.mac"}, + "sourcePort": {Target: "source.port"}, + "sourceProcessId": {Target: "source.process.pid"}, + "sourceProcessName": {Target: "source.process.name"}, + "sourceServiceName": {Target: "source.service.name"}, + "sourceTranslatedAddress": {Target: "source.nat.ip"}, + "sourceTranslatedPort": {Target: "source.nat.port"}, + "sourceUserId": {Target: "source.user.id"}, + "sourceUserName": {Target: "source.user.name"}, + "sourceUserPrivileges": {Target: "source.user.group"}, + "startTime": {Target: "event.start"}, "transportProtocol": { Target: "network.transport", - Translate: func(in string) (interface{}, error) { - return strings.ToLower(in), nil + Translate: func(in *cef.Field) (interface{}, error) { + return strings.ToLower(in.String), nil }, }, - "type": { - Target: "event.kind", - Type: Integer, - }, -} - -func toType(value string, typ dataType) (interface{}, error) { - switch typ { - case String: - return value, nil - case Long: - return toLong(value) - case Integer: - return toInteger(value) - case Float: - return toFloat(value) - case Double: - return toDouble(value) - case Boolean: - return toBoolean(value) - case IP: - return toIP(value) - case Timestamp: - return toTimestamp(value) - default: - panic(errors.Errorf("invalid data type: %v", typ)) - } -} - -func toLong(v string) (int64, error) { - return strconv.ParseInt(v, 0, 64) -} - -func toInteger(v string) (int32, error) { - i, err := strconv.ParseInt(v, 0, 32) - return int32(i), err -} - -func toFloat(v string) (float32, error) { - f, err := strconv.ParseFloat(v, 32) - return float32(f), err -} - -func toDouble(v string) (float64, error) { - f, err := strconv.ParseFloat(v, 64) - return f, err -} - -func toBoolean(v string) (bool, error) { - return strconv.ParseBool(v) -} - -func toIP(v string) (string, error) { - // This is validating that the value is an IP. - if net.ParseIP(v) != nil { - return v, nil - } - return "", errors.New("value is not a valid IP address") -} - -var timeLayouts = []string{ - // MMM dd HH:mm:ss.SSS zzz - "Jan _2 15:04:05.000 MST", - // MMM dd HH:mm:sss.SSS - "Jan _2 15:04:05.000", - // MMM dd HH:mm:ss zzz - "Jan _2 15:04:05 MST", - // MMM dd HH:mm:ss - "Jan _2 15:04:05", - // MMM dd yyyy HH:mm:ss.SSS zzz - "Jan _2 2006 15:04:05.000 MST", - // MMM dd yyyy HH:mm:ss.SSS - "Jan _2 2006 15:04:05.000", - // MMM dd yyyy HH:mm:ss zzz - "Jan _2 2006 15:04:05 MST", - // MMM dd yyyy HH:mm:ss - "Jan _2 2006 15:04:05", -} - -func toTimestamp(v string) (common.Time, error) { - if unixMs, err := toLong(v); err == nil { - return common.Time(time.Unix(0, unixMs*int64(time.Millisecond))), nil - } - - for _, layout := range timeLayouts { - ts, err := time.ParseInLocation(layout, v, time.UTC) - if err == nil { - // Use current year if no year is zero. - if ts.Year() == 0 { - currentYear := time.Now().In(ts.Location()).Year() - ts = ts.AddDate(currentYear, 0, 0) - } - - return common.Time(ts), nil - } - } - - return common.Time(time.Time{}), errors.New("value is not a valid timestamp") + "type": {Target: "event.kind"}, } diff --git a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json index 81cb516b856e..89a6edb2d942 100644 --- a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json +++ b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json @@ -89,7 +89,7 @@ "version": "1.2.3" }, "extensions": { - "DeviceCustomNumber2": "205", + "DeviceCustomNumber2": 205, "TrendMicroDsDetectionConfidence": "95", "TrendMicroDsFileMD5": "44D88612FEA8A8F36DE82E1278ABB02F", "TrendMicroDsFileSHA1": "3395856CE81F2B7382DEE72602F798B642F14140", @@ -98,7 +98,7 @@ "TrendMicroDsMalwareTargetType": "N/A", "TrendMicroDsRelevantDetectionNames": "Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM", "deviceAction": "Delete", - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", "deviceCustomNumber2Label": "Quarantine File Size", "deviceCustomString6": "ContainerImageName | ContainerName | ContainerID", @@ -142,7 +142,7 @@ "aggregationType": "0", "deviceAction": "detectOnly", "deviceAddress": "192.168.33.128", - "deviceCustomNumber1": "202", + "deviceCustomNumber1": 202, "deviceCustomNumber1Label": "Host ID", "deviceCustomString1": "notWhitelisted", "deviceCustomString1Label": "actionReason", @@ -152,7 +152,7 @@ "deviceCustomString3Label": "md5", "fileHash": "80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0", "filePath": "/home/user1/Desktop/Directory1//heartbeatSync.sh", - "fileSize": "20", + "fileSize": 20, "repeatCount": "1", "sourceUserId": "0", "sourceUserName": "root" @@ -196,22 +196,21 @@ "extensions": { "TrendMicroDsFrameType": "IP", "TrendMicroDsPacketData": "AFB", - "baseEventCount": "1", - "bytesOut": "1019", + "baseEventCount": 1, + "bytesOut": 1019, "destinationAddress": "72.14.204.147", - "destinationMacAddress": "00:50:56:F5:7F:47", - "destinationPort": "80", + "destinationMacAddress": "00:50:56:f5:7f:47", + "destinationPort": 80, "deviceAction": "Log", - "deviceAddress": "hostname", - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", "deviceCustomString2": "0x00 ACK PSH", "deviceCustomString2Label": "TCP Flags", "deviceCustomString3": "DF MF", "deviceCustomString3Label": "Fragmentation Bits", "sourceAddress": "192.168.126.150", - "sourceMacAddress": "00:0C:29:EB:35:DE", - "sourcePort": "49617", + "sourceMacAddress": "00:0c:29:eb:35:de", + "sourcePort": 49617, "transportProtocol": "TCP" }, "name": "Log for TCP Port 80", @@ -221,11 +220,11 @@ "destination": { "bytes": 1019, "ip": "72.14.204.147", - "mac": "00:50:56:F5:7F:47", + "mac": "00:50:56:f5:7f:47", "port": 80 }, "error": { - "message": "deviceAddress: value is not a valid IP address" + "message": "error in field 'dvc': value is not a valid IP address" }, "event": { "action": "Log", @@ -244,7 +243,7 @@ }, "source": { "ip": "192.168.126.150", - "mac": "00:0C:29:EB:35:DE", + "mac": "00:0c:29:eb:35:de", "port": 49617 } }, @@ -258,7 +257,7 @@ }, "extensions": { "deviceAction": "updated", - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", "deviceHostName": "hostname", "filePath": "c:\\windows\\message.dll", @@ -302,15 +301,15 @@ "extensions": { "TrendMicroDsFrameType": "IP", "TrendMicroDsPacketData": "R0VUIC9zP3", - "baseEventCount": "1", - "bytesOut": "1093", + "baseEventCount": 1, + "bytesOut": 1093, "destinationAddress": "72.14.204.105", - "destinationMacAddress": "00:50:56:F5:7F:47", - "destinationPort": "80", + "destinationMacAddress": "00:50:56:f5:7f:47", + "destinationPort": 80, "deviceAction": "IDS:Reset", - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", - "deviceCustomNumber3": "10", + "deviceCustomNumber3": 10, "deviceCustomNumber3Label": "Intrusion Prevention Packet Position", "deviceCustomString2": "0x00 ACK PSH", "deviceCustomString2Label": "TCP Flags", @@ -322,8 +321,8 @@ "deviceCustomString6Label": "Intrusion Prevention Flags", "deviceHostName": "hostname", "sourceAddress": "192.168.126.150", - "sourceMacAddress": "00:0C:29:EB:35:DE", - "sourcePort": "49786", + "sourceMacAddress": "00:0c:29:eb:35:de", + "sourcePort": 49786, "transportProtocol": "TCP" }, "name": "Test Intrusion Prevention Rule", @@ -333,7 +332,7 @@ "destination": { "bytes": 1093, "ip": "72.14.204.105", - "mac": "00:50:56:F5:7F:47", + "mac": "00:50:56:f5:7f:47", "port": 80 }, "event": { @@ -354,7 +353,7 @@ }, "source": { "ip": "192.168.126.150", - "mac": "00:0C:29:EB:35:DE", + "mac": "00:0c:29:eb:35:de", "port": 49786 } }, @@ -368,7 +367,7 @@ }, "extensions": { "destinationUserName": "(no user)", - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", "deviceCustomString1": "Multiple Windows Logon Failures", "deviceCustomString1Label": "LI Description", @@ -416,7 +415,7 @@ "version": "1.2.3" }, "extensions": { - "deviceCustomNumber1": "1", + "deviceCustomNumber1": 1, "deviceCustomNumber1Label": "Host ID", "deviceHostName": "hostname", "message": "Blocked By Admin", @@ -451,9 +450,9 @@ "version": "NS10.0" }, "extensions": { - "DeviceCustomNumber2": "205", + "DeviceCustomNumber2": 205, "deviceAction": "blocked", - "deviceCustomNumber1": "233", + "deviceCustomNumber1": 233, "deviceCustomString1": "profile1", "deviceCustomString2": "PPE0", "deviceCustomString3": "AjSZM26h2M+xL809pON6C8joebUA000", @@ -463,7 +462,7 @@ "method": "GET", "requestUrl": "http://vpx247.example.net/FFC/login.html", "sourceAddress": "10.217.253.78", - "sourcePort": "53743" + "sourcePort": 53743 }, "name": "APPFW_STARTURL", "severity": "6", @@ -498,9 +497,9 @@ "version": "NS10.0" }, "extensions": { - "DeviceCustomNumber2": "535", + "DeviceCustomNumber2": 535, "deviceAction": "not blocked", - "deviceCustomNumber1": "465", + "deviceCustomNumber1": 465, "deviceCustomString1": "profile1", "deviceCustomString2": "PPE0", "deviceCustomString3": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", @@ -510,7 +509,7 @@ "method": "GET", "requestUrl": "http://vpx247.example.net/FFC/login_post.html?abc=def", "sourceAddress": "10.217.253.78", - "sourcePort": "54711" + "sourcePort": 54711 }, "name": "APPFW_STARTURL", "severity": "6", @@ -545,9 +544,9 @@ "version": "NS10.0" }, "extensions": { - "DeviceCustomNumber2": "610", + "DeviceCustomNumber2": 610, "deviceAction": "transformed", - "deviceCustomNumber1": "652", + "deviceCustomNumber1": 652, "deviceCustomString1": "pr_ffc", "deviceCustomString2": "PPE0", "deviceCustomString3": "li8MdGfW49uG8tGdSV85ech41a0A000", @@ -557,7 +556,7 @@ "method": "GET", "requestUrl": "http://vpx247.example.net/FFC/CreditCardMind.html", "sourceAddress": "10.217.253.78", - "sourcePort": "56116" + "sourcePort": 56116 }, "name": "APPFW_SAFECOMMERCE_XFORM", "severity": "6", @@ -592,9 +591,9 @@ "version": "NS10.0" }, "extensions": { - "DeviceCustomNumber2": "610", + "DeviceCustomNumber2": 610, "deviceAction": "transformed", - "deviceCustomNumber1": "653", + "deviceCustomNumber1": 653, "deviceCustomString1": "pr_ffc", "deviceCustomString2": "PPE0", "deviceCustomString3": "li8MdGfW49uG8tGdSV85ech41a0A000", @@ -604,7 +603,7 @@ "method": "GET", "requestUrl": "http://vpx247.example.net/FFC/CreditCardMind.html", "sourceAddress": "10.217.253.78", - "sourcePort": "56116" + "sourcePort": 56116 }, "name": "APPFW_SAFECOMMERCE", "severity": "6", @@ -639,9 +638,9 @@ "version": "NS10.0" }, "extensions": { - "DeviceCustomNumber2": "205", + "DeviceCustomNumber2": 205, "deviceAction": "not blocked", - "deviceCustomNumber1": "224", + "deviceCustomNumber1": 224, "deviceCustomString1": "pr_ffc", "deviceCustomString2": "PPE0", "deviceCustomString3": "POousP7CIMW5nwZ5Rs4nq5DND0sA000", @@ -651,7 +650,7 @@ "method": "GET", "requestUrl": "http://vpx247.example.net/FFC/wwwboard/passwd.txt", "sourceAddress": "10.217.253.78", - "sourcePort": "56687" + "sourcePort": 56687 }, "name": "APPFW_SIGNATURE_MATCH", "severity": "6", @@ -686,10 +685,10 @@ "version": "1.0.0-alpha" }, "extensions": { - "destinationGeoLatitude": "38.915", - "destinationGeoLongitude": "-77.511", + "destinationGeoLatitude": 38.915, + "destinationGeoLongitude": -77.511, "destinationServiceName": "chrome", - "eventId": "3457", + "eventId": 3457, "rawEvent": "{\"x\": \"y\"}", "requestContext": "application/json", "requestMethod": "POST", @@ -755,19 +754,19 @@ "agentAddress": "10.2.3.4", "agentHostName": "arcagt1", "agentId": "NpLHzDMCABCBBTXAZqYDUA==", - "agentReceiptTime": "1322022474516", + "agentReceiptTime": "2011-11-23T04:27:54.516Z", "agentTimeZone": "America/New York", "agentType": "dns_tracelog_file", - "baseEventCount": "2", + "baseEventCount": 2, "destinationHostName": "www.google.com", - "deviceReceiptTime": "1322005087000", + "deviceReceiptTime": "2011-11-22T23:38:07.000Z", "deviceTimeZone": "America/New York", - "eventId": "12345678", + "eventId": 12345678, "requestUrl": "(3)www(6)google(3)com(0)", "requestUrlFileName": "(3)www(6)google(3)com(0)", "sourceAddress": "10.0.0.2", - "startTime": "1322004689000", - "type": "1" + "startTime": "2011-11-22T23:31:29.000Z", + "type": 1 }, "name": "Response", "severity": "Unknown", @@ -801,7 +800,7 @@ "agent": { "id": "4SNQXV30BABCAIi+-ZH3gxT==", "ip": "10.2.3.4", - "mac": "00-50-56-8E-C0-90", + "mac": "00:50:56:8e:c0:90", "name": "centos7.as", "type": "syslog", "version": "7.6.0.8009.0" @@ -817,8 +816,8 @@ "agentAddress": "10.2.3.4", "agentHostName": "centos7.as", "agentId": "4SNQXV30BABCAIi+-ZH3gxT==", - "agentMacAddress": "00-50-56-8E-C0-90", - "agentReceiptTime": "1500404470493", + "agentMacAddress": "00:50:56:8e:c0:90", + "agentReceiptTime": "2017-07-18T19:01:10.493Z", "agentTimeZone": "America/Argentina/Buenos_Aires", "agentType": "syslog", "agentVersion": "7.6.0.8009.0", @@ -839,10 +838,10 @@ "deviceFacility": "daemon", "deviceHostName": "centos7", "deviceProcessName": "systemd", - "deviceReceiptTime": "1500404461000", + "deviceReceiptTime": "2017-07-18T19:01:01.000Z", "deviceSeverity": "info", "deviceTimeZone": "America/Argentina/Buenos_Aires", - "eventId": "31", + "eventId": 31, "message": "Started Session 21 of user root", "sourceUserName": "root" }, @@ -894,9 +893,9 @@ "categorySignificance": "/Informational/Warning", "customerID": "124", "customerURI": "/XXX", - "eventId": "23985829654", + "eventId": 23985829654, + "managerReceiptTime": "2016-03-30T19:45:45.678Z", "modelConfidence": "0", - "mrt": "1459367145678", "priority": "High", "relevance": "10", "severity": "5", @@ -942,10 +941,9 @@ "ad": { "arcSightEventPath": "7q0sfHVcBABCcMZVvMSDFc1w==" }, - "agentAddress": "100.222.333.55", "agentHostName": "host.gtr.gtr", "agentId": "4p9IZi1kBABCq5RFPFdJWYUw==", - "agentReceiptTime": "1484096108163", + "agentReceiptTime": "2017-01-11T00:55:08.163Z", "agentTimeZone": "LA/la", "agentType": "agent_ac", "agentVersion": "7.1.7.7602.0", @@ -974,7 +972,7 @@ "deviceHostName": "super", "deviceInboundInterface": "eth0", "deviceOutboundInterface": "eth1", - "deviceReceiptTime": "1484096094000", + "deviceReceiptTime": "2017-01-11T00:54:54.000Z", "deviceSeverity": "6", "deviceTimeZone": "LA/LA", "deviceZoneID": "K-fU33AAOGVdfFpYAT3UdQ==", @@ -986,10 +984,10 @@ "eventAnnotationModificationTime": "1484097686475", "eventAnnotationStageUpdateTime": "1484097686473", "eventAnnotationVersion": "1", - "eventId": "56265798504", + "eventId": 56265798504, "locality": "1", + "managerReceiptTime": "2017-01-10T23:58:03.471Z", "modelConfidence": "0", - "mrt": "1484092683471", "originalAgentAddress": "10.2.88.3", "originalAgentHostName": "host", "originalAgentId": "6q0sfHVcBABCcSDFvMpvc1w==", @@ -1000,9 +998,9 @@ "relevance": "10", "severity": "4", "sourceAddress": "1.2.3.4", - "sourcePort": "5260", + "sourcePort": 5260, "sourceTranslatedAddress": "4.3.2.1", - "sourceTranslatedPort": "5260", + "sourceTranslatedPort": 5260, "sourceTranslatedZoneID": "P84KXXTYDFYYFwwHq40BQcd==", "sourceTranslatedZoneURI": "/All Zones/GTR/GTR Internet Primary", "sourceZoneID": "GqtK3G9YBABCadQ465CqVeW==", @@ -1014,7 +1012,7 @@ "version": "0" }, "error": { - "message": "agentAddress: value is not a valid IP address" + "message": "error in field 'agt': value is not a valid IP address" }, "event": { "code": "305012", @@ -1063,7 +1061,7 @@ "agentAddress": "192.168.131.65", "agentHostName": "VirtualXP", "agentId": "3Pz6paUgBABCAAudQNx1w0w==", - "agentReceiptTime": "1410524502535", + "agentReceiptTime": "2014-09-12T12:21:42.535Z", "agentTimeZone": "Europe/Prague", "agentType": "sdkrfilereader", "agentVersion": "7.0.5.7132.0", @@ -1079,15 +1077,15 @@ "deviceCustomString2Label": "Configuration Resource", "deviceEventCategory": "/Agent/Connection/Device?Success", "deviceHostName": "VirtualXP", - "deviceReceiptTime": "1410524500502", + "deviceReceiptTime": "2014-09-12T12:21:40.502Z", "deviceSeverity": "Warning", "deviceTimeZone": "Europe/Prague", "deviceZoneURI": "/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255", - "eventId": "1", + "eventId": 1, "fileType": "Agent", "filename": "C:\\Documents and Settings\\XPMUser\\Desktop\\Logs\\NAT_Log", - "message": "File Opened", - "mrt": "1410524600502" + "managerReceiptTime": "2014-09-12T12:23:20.502Z", + "message": "File Opened" }, "name": "Device connection up", "severity": "Low", @@ -1134,7 +1132,7 @@ "agentAddress": "192.168.1.56", "agentHostName": "VirtualXP", "agentId": "4Pz6paUgBABCAAudQNx1w0w==", - "agentReceiptTime": "1410624402535", + "agentReceiptTime": "2014-09-13T16:06:42.535Z", "agentTimeZone": "Europe/Prague", "agentType": "sdkrfilereader", "agentVersion": "7.0.5.7132.1", @@ -1150,13 +1148,13 @@ "deviceCustomString2Label": "Configuration Resource", "deviceEventCategory": "/Agent/Started", "deviceHostName": "VirtualXP", - "deviceReceiptTime": "1410543500432", + "deviceReceiptTime": "2014-09-12T17:38:20.432Z", "deviceSeverity": "Warning", "deviceTimeZone": "Europe/Prague", "deviceZoneURI": "/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255", - "eventId": "2", + "eventId": 2, "fileType": "Agent", - "mrt": "1410524500493" + "managerReceiptTime": "2014-09-12T12:21:40.493Z" }, "name": "Agent [NAT] type [sdkrfilereader] started", "severity": "Low", @@ -1202,7 +1200,7 @@ "agentAddress": "192.168.131.65", "agentHostName": "VirtualXP", "agentId": "3Pz6paUgBABCAAudQNx1w0w==", - "agentReceiptTime": "1410524502535", + "agentReceiptTime": "2014-09-12T12:21:42.535Z", "agentTimeZone": "Europe/Prague", "agentType": "sdkrfilereader", "agentVersion": "7.0.5.7132.0", @@ -1211,13 +1209,13 @@ "deviceAddress": "192.168.131.65", "deviceEventCategory": "/LogFile/Processing/Started", "deviceHostName": "VirtualXP", - "deviceReceiptTime": "1410524500502", + "deviceReceiptTime": "2014-09-12T12:21:40.502Z", "deviceSeverity": "Warning", "deviceTimeZone": "Europe/Prague", "deviceZoneURI": "/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255", - "eventId": "6", + "eventId": 6, "filename": "C:\\Documents and Settings\\XPMUser\\Desktop\\Logs\\NAT_Log", - "mrt": "1410524500502" + "managerReceiptTime": "2014-09-12T12:21:40.502Z" }, "name": "File processing started", "severity": "Low", @@ -1263,7 +1261,7 @@ "agentAddress": "192.168.131.65", "agentHostName": "VirtualXP", "agentId": "3Pz6paUgBABCAAudQNx1w0w==", - "agentReceiptTime": "1410524535843", + "agentReceiptTime": "2014-09-12T12:22:15.843Z", "agentTimeZone": "Europe/Prague", "agentType": "sdkrfilereader", "agentVersion": "7.0.5.7132.0", @@ -1279,14 +1277,14 @@ "deviceCustomString2Label": "Configuration Resource", "deviceEventCategory": "/Agent/ShuttingDown", "deviceHostName": "VirtualXP", - "deviceReceiptTime": "1410524535833", + "deviceReceiptTime": "2014-09-12T12:22:15.833Z", "deviceSeverity": "Warning", "deviceTimeZone": "Europe/Prague", "deviceZoneURI": "/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255", - "eventId": "7", + "eventId": 7, "fileType": "Agent", - "message": "Process Stopped by User", - "mrt": "1410524535833" + "managerReceiptTime": "2014-09-12T12:22:15.833Z", + "message": "Process Stopped by User" }, "name": "Agent [NAT] type [sdkrfilereader] shutting down", "severity": "Very-High",