From 51224bbd04c6f1f74238529e75654b29a032bc07 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 30 Aug 2021 15:48:37 +0200 Subject: [PATCH] Filebeat auditd: Fix Top Exec Commands dashboard visualization (#27638) This visualization was expecting an uppercase EXECVE value in event.action while the ingest pipeline was lowercasing this value. (cherry picked from commit 02315d973c77d2c0d92696a384b09abfe8479fbe) # Conflicts: # filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json --- CHANGELOG.next.asciidoc | 2 + ...dbe50-0a0f-11e7-825f-6748cda7d858-ecs.json | 81 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3569e07e3b93..925d77080bb3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -189,6 +189,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix s3 input when there is a blank line in the log file. {pull}25357[25357] - Fixes the Snyk module to work with the new API changes. {pull}27358[27358] - Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480] +- Update indentation for azure filebeat configuration. {pull}26604[26604] +- Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638] *Heartbeat* diff --git a/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json b/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json new file mode 100644 index 000000000000..068832a2f690 --- /dev/null +++ b/filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.action:execve" + } + } + }, + "title": "Top Exec Commands [Filebeat Auditd] ECS", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Command (arg 0)", + "field": "auditd.log.a0", + "order": "desc", + "orderBy": "1", + "size": 30 + }, + "schema": "bucket", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": true, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Audit Top Exec Commands ECS", + "type": "table" + } + }, + "coreMigrationVersion": "8.0.0", + "id": "5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-08-04T16:33:56.442Z", + "version": "WzQzNDcsMV0=" +} \ No newline at end of file