From c09fa7aeb365449e766f45d459c1bc2f15c6facb Mon Sep 17 00:00:00 2001 From: Pete Harverson Date: Fri, 8 Feb 2019 16:16:53 +0000 Subject: [PATCH] [ML] Removes non ECS apache, nginx and auditbeat data recognizer modules --- ...ache2-Access-Remote-IP-Count-Explorer.json | 13 -- .../ML-Apache2-Remote-IP-URL-Explorer.json | 13 -- .../search/ML-Filebeat-Apache2-Access.json | 16 --- .../visualization/ML-Apache2-Access-Map.json | 11 -- ...ML-Apache2-Access-Remote-IP-Timechart.json | 11 -- ...pache2-Access-Response-Code-Timechart.json | 11 -- ...L-Apache2-Access-Top-Remote-IPs-Table.json | 11 -- .../ML-Apache2-Access-Top-URLs-Table.json | 11 -- ...he2-Access-Unique-Count-URL-Timechart.json | 11 -- .../data_recognizer/modules/apache2/logo.json | 6 - .../modules/apache2/manifest.json | 132 ------------------ .../apache2/ml/datafeed_low_request_rate.json | 35 ----- .../ml/datafeed_remote_ip_request_rate.json | 14 -- .../ml/datafeed_remote_ip_url_count.json | 14 -- .../apache2/ml/datafeed_response_code.json | 14 -- .../apache2/ml/datafeed_visitor_rate.json | 40 ------ .../modules/apache2/ml/low_request_rate.json | 33 ----- .../apache2/ml/remote_ip_request_rate.json | 33 ----- .../apache2/ml/remote_ip_url_count.json | 34 ----- .../modules/apache2/ml/response_code.json | 40 ------ .../modules/apache2/ml/visitor_rate.json | 33 ----- ...l_auditbeat_docker_process_event_rate.json | 12 -- .../ml_auditbeat_docker_process_explorer.json | 12 -- .../ml_auditbeat_docker_process_events.json | 16 --- ..._docker_process_event_rate_by_process.json | 11 -- ...ditbeat_docker_process_event_rate_vis.json | 11 -- ...l_auditbeat_docker_process_occurrence.json | 10 -- .../auditbeat_process_docker/logo.json | 5 - .../auditbeat_process_docker/manifest.json | 78 ----------- ...feed_docker_high_count_process_events.json | 26 ---- ...datafeed_docker_rare_process_activity.json | 26 ---- .../ml/docker_high_count_process_events.json | 41 ------ .../ml/docker_rare_process_activity.json | 40 ------ ...ml_auditbeat_hosts_process_event_rate.json | 12 -- .../ml_auditbeat_hosts_process_explorer.json | 12 -- .../ml_auditbeat_hosts_process_events.json | 16 --- ...t_hosts_process_event_rate_by_process.json | 11 -- ...uditbeat_hosts_process_event_rate_vis.json | 11 -- ...ml_auditbeat_hosts_process_occurrence.json | 10 -- .../modules/auditbeat_process_hosts/logo.json | 5 - .../auditbeat_process_hosts/manifest.json | 80 ----------- ...afeed_hosts_high_count_process_events.json | 28 ---- .../datafeed_hosts_rare_process_activity.json | 28 ---- .../ml/hosts_high_count_process_events.json | 41 ------ .../ml/hosts_rare_process_activity.json | 40 ------ ...Nginx-Access-Remote-IP-Count-Explorer.json | 13 -- .../ML-Nginx-Remote-IP-URL-Explorer.json | 13 -- .../search/ML-Filebeat-Nginx-Access.json | 16 --- .../visualization/ML-Nginx-Access-Map.json | 11 -- .../ML-Nginx-Access-Remote-IP-Timechart.json | 11 -- ...-Nginx-Access-Response-Code-Timechart.json | 11 -- .../ML-Nginx-Access-Top-Remote-IPs-Table.json | 11 -- .../ML-Nginx-Access-Top-URLs-Table.json | 11 -- ...inx-Access-Unique-Count-URL-Timechart.json | 11 -- .../data_recognizer/modules/nginx/logo.json | 5 - .../modules/nginx/manifest.json | 132 ------------------ .../nginx/ml/datafeed_low_request_rate.json | 35 ----- .../ml/datafeed_remote_ip_request_rate.json | 14 -- .../ml/datafeed_remote_ip_url_count.json | 14 -- .../nginx/ml/datafeed_response_code.json | 14 -- .../nginx/ml/datafeed_visitor_rate.json | 40 ------ .../modules/nginx/ml/low_request_rate.json | 33 ----- .../nginx/ml/remote_ip_request_rate.json | 33 ----- .../modules/nginx/ml/remote_ip_url_count.json | 34 ----- .../modules/nginx/ml/response_code.json | 40 ------ .../modules/nginx/ml/visitor_rate.json | 33 ----- 66 files changed, 1653 deletions(-) delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Remote-IP-URL-Explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/search/ML-Filebeat-Apache2-Access.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Map.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Remote-IP-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Response-Code-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-Remote-IPs-Table.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-URLs-Table.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Unique-Count-URL-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/logo.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/manifest.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_low_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_url_count.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_response_code.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_visitor_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/low_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_url_count.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/response_code.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/visitor_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_event_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_by_process.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_vis.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_occurrence.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_rare_process_activity.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_rare_process_activity.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_event_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_by_process.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_vis.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_occurrence.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_rare_process_activity.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_process_events.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_rare_process_activity.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Remote-IP-URL-Explorer.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/search/ML-Filebeat-Nginx-Access.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Map.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Remote-IP-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Response-Code-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-Remote-IPs-Table.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-URLs-Table.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Unique-Count-URL-Timechart.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/logo.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/manifest.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_low_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_url_count.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_response_code.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_visitor_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/low_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_request_rate.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_url_count.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/response_code.json delete mode 100644 x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/visitor_rate.json diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer.json deleted file mode 100644 index 5fc696c6c702d..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "hits": 0, - "timeRestore": false, - "description": "", - "title": "ML Apache2 Access Remote IP Count Explorer", - "uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "panelsJSON": "[{\"size_x\":6,\"size_y\":3,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Remote-IP-Timechart\",\"col\":1,\"row\":1},{\"size_x\":6,\"size_y\":3,\"panelIndex\":2,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Response-Code-Timechart\",\"col\":7,\"row\":1},{\"size_x\":6,\"size_y\":3,\"panelIndex\":3,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Top-Remote-IPs-Table\",\"col\":1,\"row\":4},{\"size_x\":6,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Map\",\"col\":7,\"row\":4},{\"size_x\":12,\"size_y\":9,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Top-URLs-Table\",\"col\":1,\"row\":7}]", - "optionsJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Remote-IP-URL-Explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Remote-IP-URL-Explorer.json deleted file mode 100644 index b04050ceb6e19..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/dashboard/ML-Apache2-Remote-IP-URL-Explorer.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "hits": 0, - "timeRestore": false, - "description": "", - "title": "ML Apache2 Access Remote IP URL Explorer", - "uiStateJSON": "{\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "panelsJSON": "[{\"col\":1,\"id\":\"ML-Apache2-Access-Unique-Count-URL-Timechart\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ML-Apache2-Access-Response-Code-Timechart\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ML-Apache2-Access-Top-Remote-IPs-Table\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ML-Apache2-Access-Map\",\"panelIndex\":4,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":8,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"ML-Apache2-Access-Top-URLs-Table\",\"col\":1,\"row\":7}]", - "optionsJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/search/ML-Filebeat-Apache2-Access.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/search/ML-Filebeat-Apache2-Access.json deleted file mode 100644 index edb54752c2ffe..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/search/ML-Filebeat-Apache2-Access.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "sort": [ - "@timestamp", - "desc" - ], - "hits": 0, - "description": "Filebeat Apache2 Access Data", - "title": "ML Apache2 Access Data", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"query\":{\"query_string\":{\"query\":\"_exists_:apache2.access\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - }, - "columns": [ - "_source" - ] -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Map.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Map.json deleted file mode 100644 index cf95b96816941..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Map.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"apache2.access.geoip.location\"},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"ML Apache2 Access Map\",\"type\":\"tile_map\"}", - "description": "", - "title": "ML Apache2 Access Map", - "uiStateJSON": "{\n \"mapCenter\": [\n 12.039320557540572,\n -0.17578125\n ]\n}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Remote-IP-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Remote-IP-Timechart.json deleted file mode 100644 index c2db71b8c9667..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Remote-IP-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Apache2 Access Remote IP Timechart\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 5 minutes\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"apache2.access.remote_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Apache2 Access Remote IP Timechart", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Response-Code-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Response-Code-Timechart.json deleted file mode 100644 index 496d15dcda861..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Response-Code-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Apache2 Access Response Code Timechart\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"apache2.access.response_code\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Apache2 Access Response Code Timechart", - "uiStateJSON": "{\n \"vis\": {\n \"colors\": {\n \"200\": \"#7EB26D\",\n \"404\": \"#614D93\"\n }\n }\n}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-Remote-IPs-Table.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-Remote-IPs-Table.json deleted file mode 100644 index 856dec47b6b7b..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-Remote-IPs-Table.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Apache2 Access Top Remote IPs Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"apache2.access.remote_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Apache2 Access Top Remote IPs Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-URLs-Table.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-URLs-Table.json deleted file mode 100644 index b698cd12b303e..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Top-URLs-Table.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Apache2 Access Top URLs Table\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"apache2.access.url\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Apache2 Access Top URLs Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Unique-Count-URL-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Unique-Count-URL-Timechart.json deleted file mode 100644 index 03ffb27206bd2..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/kibana/visualization/ML-Apache2-Access-Unique-Count-URL-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Apache2 Access Unique Count URL Timechart\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per day\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of apache2.access.url\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Unique count of apache2.access.url\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"apache2.access.url\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", - "description": "", - "title": "ML Apache2 Access Unique Count URL Timechart", - "uiStateJSON": "{}", - "version": 1, - "savedSearchId": "ML-Filebeat-Apache2-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/logo.json deleted file mode 100644 index e15620ed29fcc..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/logo.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAA5CAIAAADYwb7wAAAHTUlEQVR4AbXTa1iT5xkH8Lvt7BTFtXioxjcJggIiHkQFUQQFJgdEUGB27arOQxHdCgNdUStFC1OrbR3latU5kIAogoKUg1JQAjkgkIQEAjSExBBCSAIkkDM5sMf5rR/64ZU81/vhzvX+r/v33s/zBKZnYtlVPHOhl/EGwabo+dUrmInu3aYrYM4Dwzcw+QXYdaoZBTQi/eVX3c233zbdnKfNAkNxzMwBZo3+azD++1V3c76T6SYYrsPkFZg2js0EYLOidsbvwHQLpu76ThV5mhHwPWgvARrLbre/KTCRG69Jh6kCMJUGTlXuM99Cc4DpRzBfhWm9wmq1cbg8iUSCEzAz78oTYfQ0mAq9ppnpZoqTpQCm8sH4AxivoS1So8zYuFqhUOIBrAqxbB8oU2cp/gbG6kxjUfhENkzkOKuznEfTQH01eNpux38GdptVdgBkB0F+BLR3UvTlWYpjoEpbqEpzUZ1aOHIAjI15b3SL1DfTxBEwfGSJMiPQ0ERRnnZXpswfPb1g7HOX8Qxn5TGwjUnxA+Z+jsAfhg57SBJA/zRfczt16ACMpBAVqUtUp5YqjsJE7m78/2S71SIMf1e0e554z2zVt8n65/cG/wSypOXDyST5SeLIZ5gsAaxDvfgBVe65nrUg3u8zEOViaH6szP5Ikug0dHiF7Ijb8HG3wXgYzY5GMZyARSrikUG427tvy9vjd67qfi4VhsDgXzyln6yQHnIfOkQWh4FVJcUL2O09fht6NswV7FrVH71Gz2iQJkcKo4niRK+X+z0HD3j3B4D6zpcoiBPQPKigAfQGb+ryfEtdckvzuLhnHQzE+ojiVokTVgsCYfDgGvQROAGb0dgGi1ngwVu++pfIAH1ri2h/iGCHe3+UtzDGqz+CMJJ10KpWoSROYPh8Dh2At8L/BThr7t+frCnnEqBv59q+nT59OzwHj+8fu5E3WVdnt1rxABbVKANmsz9Yx17k07V2p57G7A0K5WLePLf13OUbuO6+Pf6hDICJigqcE7xMTmeCU6e7Xyu8P1Zwd/zeQwbM78Q2dy7x5RJ8uZgvC1w5Lp7TFgsewCIbocHvOYQN7KXrOkkbtejzQ2NZ8705mC8H29BJ8uWSN9IAtPWNKIwHEB/9jA7OHDd/JixQ3aZM1NYz0ee7bkQA8tC+obFkZy6gJB5galBGhfdYyzaxl25sn+OtY3YIEw93zPLoxF4BnCXr+JvCRH89ae4X4QQkGTlNQGgnb2UAceSbHyYbqQxw4ZD8ONgm9KB94/v9kesRYJHJ8QDWSe1zWE13CXhB2t4M7loqU5KW2QrubDQQesibO+Z602G2rqkFhfEA8vzyOnClk0OaYJ0wJUvLYLXAyjZSQAfmx1q2uWPxen5wrDLvNkriAew2W8vK6EbY0kIKeworNc+ZwzeLnsGKVuL2F9jWNmxLG2Ezb3OE+PgpdDvxANouQRX4NGHhjfOCWFGfalndNCyk5YMgOhbEwIJalwW2uQY+gzljxWU4JxBcuFEB6xtdo6tgjbKyQVXVWANezeSwFmIIDdtJx4LR2VDB26bV4QFsFkuda1z1nNCnhOgnfwjTvOCx4v7e4BTchO2iYmHNy0L/v29uA2k5KIwHmOgSlsG2WmLcI9gmvEZR0zmV4NtAjmokRjzDwhHTRAitgZVmqRwnMHCjsgS2V5MTSmHrOJMnvFZYCdvqSTH1pKifiZHP3HdXgkdv2mWUxAlQYzNKIfKhczQj4aya3ff4vegawp46YuwTLKaevKfmnR2VsNZmMOEErFpD+eL4soXxFNg+/BNdXk27CwHVpPhq0t5aclwtIaYIlqtpHJTECYzypXcg7uHSxPtOcWMdvfQ/Z5XNiakkJlSREquW7i0Ar4HcEhTDD3Q/Yn0HH5dAJPcrymh7HwV2PSJ9WOH64YM5MRTwF+WVogwewGa1qfrkqGAXtFx8N+lHiBxl8oUFTwog/P77CRQIfbRgr/YXyeskzgmEDfzWvAZm7tMv3kku3Hp+omvgJ5+jFa6f0D/+Sl7bajNbNNJxLoWOH0DrvxHfZs46cQ4+5dxrk9F6L8G+yvhr/GKatE30+GTxxd8lTemMKIYfUPWNpMOxc28lyzsHGy7VZcz9x79WZmYtSj8Fh66vOmPU6FEGJ2C32V//uLLqy+8DLsu40gvY5zluZ3NIGdfXZ1G/rhvqEKO3+IEpk0XS/lLGHcrEzrRTmP1UQSqcyPY4f5GYcXZu6vWN2Qq+7I0AtPi13Ulw4iScUAmU+R/lJ8HxM4v+eX5ZRunRwmHOIArgB9DFkHXLO8rYvfW9jHwm+yGnNKUM1cImgVYx+es4PkA3bnh9EkK6SDeuk7ClOJv99i0SNA/waviosE5ZTTrTzAPNBW1olN9O4wdGpZqmgnZUOArg1gu6GoQOBJpLuNpxg6OAyTED9QEPFY4CWM2CDqrAgUD5vRaVcsJRgFZrKC5qnHbYAiazt6623YHAf27ViUQjDgTo9J5pR67/AfRrVpVr6wheAAAAAElFTkSuQmCC", - "height": 25, - "width": 125 -} - diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/manifest.json deleted file mode 100644 index 95aab414ea5cd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/manifest.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "id": "apache2", - "title": "Filebeat apache2", - "description": "Find unusual activity in Apache web access logs.", - "type": "Web Access Logs", - "logoFile": "logo.json", - "defaultIndexPattern": "filebeat-*", - "query": { - "bool": { - "filter": [ - { - "term": { - "fileset.module": "apache2" - } - }, - { - "term": { - "fileset.name": "access" - } - }, - { - "exists": { - "field": "apache2.access.remote_ip" - } - }, - { - "exists": { - "field": "apache2.access.url" - } - }, - { - "exists": { - "field": "apache2.access.response_code" - } - } - ] - } - }, - "jobs": [ - { - "id": "visitor_rate", - "file": "visitor_rate.json" - }, - { - "id": "response_code", - "file": "response_code.json" - }, - { - "id": "remote_ip_url_count", - "file": "remote_ip_url_count.json" - }, - { - "id": "remote_ip_request_rate", - "file": "remote_ip_request_rate.json" - }, - { - "id": "low_request_rate", - "file": "low_request_rate.json" - } - ], - "datafeeds": [ - { - "id": "datafeed-visitor_rate", - "file": "datafeed_visitor_rate.json", - "job_id": "visitor_rate" - }, - { - "id": "datafeed-response_code", - "file": "datafeed_response_code.json", - "job_id": "response_code" - }, - { - "id": "datafeed-remote_ip_url_count", - "file": "datafeed_remote_ip_url_count.json", - "job_id": "remote_ip_url_count" - }, - { - "id": "datafeed-remote_ip_request_rate", - "file": "datafeed_remote_ip_request_rate.json", - "job_id": "remote_ip_request_rate" - }, - { - "id": "datafeed-low_request_rate", - "file": "datafeed_low_request_rate.json", - "job_id": "low_request_rate" - } - ], - "kibana": { - "dashboard": [ - { - "id": "ML-Apache2-Access-Remote-IP-Count-Explorer", - "file": "ML-Apache2-Access-Remote-IP-Count-Explorer.json" - }, - { - "id": "ML-Apache2-Remote-IP-URL-Explorer", - "file": "ML-Apache2-Remote-IP-URL-Explorer.json" - } - ], - "search": [ - { - "id": "ML-Filebeat-Apache2-Access", - "file": "ML-Filebeat-Apache2-Access.json" - } - ], - "visualization": [ - { - "id": "ML-Apache2-Access-Map", - "file": "ML-Apache2-Access-Map.json" - }, - { - "id": "ML-Apache2-Access-Remote-IP-Timechart", - "file": "ML-Apache2-Access-Remote-IP-Timechart.json" - }, - { - "id": "ML-Apache2-Access-Response-Code-Timechart", - "file": "ML-Apache2-Access-Response-Code-Timechart.json" - }, - { - "id": "ML-Apache2-Access-Top-Remote-IPs-Table", - "file": "ML-Apache2-Access-Top-Remote-IPs-Table.json" - }, - { - "id": "ML-Apache2-Access-Top-URLs-Table", - "file": "ML-Apache2-Access-Top-URLs-Table.json" - }, - { - "id": "ML-Apache2-Access-Unique-Count-URL-Timechart", - "file": "ML-Apache2-Access-Unique-Count-URL-Timechart.json" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_low_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_low_request_rate.json deleted file mode 100644 index 2ed171f41bf80..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_low_request_rate.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "apache2" } }, - { "term": { "fileset.name": "access" } } - ] - } - }, - "aggregations": { - "buckets": { - "date_histogram": { - "field": "@timestamp", - "interval": 900000, - "offset": 0, - "order": { - "_key": "asc" - }, - "keyed": false, - "min_doc_count": 0 - }, - "aggregations": { - "@timestamp": { - "max": { - "field": "@timestamp" - } - } - } - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_request_rate.json deleted file mode 100644 index df2be77127cde..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_request_rate.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "apache2" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_url_count.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_url_count.json deleted file mode 100644 index df2be77127cde..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_remote_ip_url_count.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "apache2" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_response_code.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_response_code.json deleted file mode 100644 index df2be77127cde..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_response_code.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "apache2" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_visitor_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_visitor_rate.json deleted file mode 100644 index a37fe740cf05a..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/datafeed_visitor_rate.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "apache2" } }, - { "term": { "fileset.name": "access" } } - ] - } - }, - "aggregations": { - "buckets": { - "date_histogram": { - "field": "@timestamp", - "interval": 900000, - "offset": 0, - "order": { - "_key": "asc" - }, - "keyed": false, - "min_doc_count": 0 - }, - "aggregations": { - "@timestamp": { - "max": { - "field": "@timestamp" - } - }, - "dc_remote_ips": { - "cardinality": { - "field": "apache2.access.remote_ip" - } - } - } - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/low_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/low_request_rate.json deleted file mode 100644 index 5f5c372d144ac..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/low_request_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["apache2"], - "description": "Apache2 Access Logs: Detect low request rate", - "analysis_config" : { - "bucket_span": "15m", - "summary_count_field_name": "doc_count", - "detectors": [ - { - "detector_description": "apache2_access_low_request_rate", - "function": "low_count" - } - ], - "influencers": [] - }, - "analysis_limits": { - "model_memory_limit": "10mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Apache2-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!(),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_request_rate.json deleted file mode 100644 index 7d0c85d33ac91..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_request_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["apache2"], - "description": "Apache2 Access Logs: Detect unusual remote_ips - high request rates", - "analysis_config" : { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "apache2_access_remote_ip_high_count", - "function": "high_count", - "over_field_name": "apache2.access.remote_ip" - } - ], - "influencers": [ - "apache2.access.remote_ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Count Explorer", - "url_value": "kibana#/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.remote_ip,negate:!f,type:phrase,value:\u0027$apache2.access.remote_ip$\u0027),query:(match:(apache2.access.remote_ip:(query:\u0027$apache2.access.remote_ip$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Apache2-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.remote_ip,negate:!f,type:phrase,value:\u0027$apache2.access.remote_ip$\u0027),query:(match:(apache2.access.remote_ip:(query:\u0027$apache2.access.remote_ip$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_url_count.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_url_count.json deleted file mode 100644 index 96185d6edeee7..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/remote_ip_url_count.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "groups": ["apache2"], - "description": "Apache2 Access Logs: Detect unusual remote_ips - high distinct count of urls", - "analysis_config" : { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "apache2_access_remote_ip_high_dc_url", - "function": "high_distinct_count", - "field_name": "apache2.access.url", - "over_field_name": "apache2.access.remote_ip" - } - ], - "influencers": [ - "apache2.access.remote_ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "URL Explorer", - "url_value": "kibana#/dashboard/ML-Apache2-Remote-IP-URL-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.remote_ip,negate:!f,type:phrase,value:\u0027$apache2.access.remote_ip$\u0027),query:(match:(apache2.access.remote_ip:(query:\u0027$apache2.access.remote_ip$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Apache2-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.remote_ip,negate:!f,type:phrase,value:\u0027$apache2.access.remote_ip$\u0027),query:(match:(apache2.access.remote_ip:(query:\u0027$apache2.access.remote_ip$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/response_code.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/response_code.json deleted file mode 100644 index 7d50df5e59bb8..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/response_code.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "groups": ["apache2"], - "description": "Apache2 Access Logs: Detect unusual response_code rates", - "analysis_config" : { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "apache2_access_response_code_rate", - "function": "count", - "partition_field_name": "apache2.access.response_code" - } - ], - "influencers": [ - "apache2.access.response_code", - "apache2.access.remote_ip" - ] - }, - "analysis_limits": { - "model_memory_limit": "100mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Count Explorer", - "url_value": "kibana#/dashboard/ML-Apache2-Access-Remote-IP-Count-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.response_code,negate:!f,type:phrase,value:\u0027$apache2.access.response_code$\u0027),query:(match:(apache2.access.response_code:(query:\u0027$apache2.access.response_code$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Apache2-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:apache2.access.response_code,negate:!f,type:phrase,value:\u0027$apache2.access.response_code$\u0027),query:(match:(apache2.access.response_code:(query:\u0027$apache2.access.response_code$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027_exists_:apache2.access\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/visitor_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/visitor_rate.json deleted file mode 100644 index cbe27ea4e64c7..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/apache2/ml/visitor_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["apache2"], - "description": "Apache2 Access Logs: Detect unusual visitor rate", - "analysis_config" : { - "bucket_span": "15m", - "summary_count_field_name": "dc_remote_ips", - "detectors": [ - { - "detector_description": "apache2_access_visitor_rate", - "function": "non_zero_count" - } - ], - "influencers": [] - }, - "analysis_limits": { - "model_memory_limit": "10mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Apache2-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!(),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_event_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_event_rate.json deleted file mode 100644 index 680b329b29cf7..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_event_rate.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "title": "ML Auditbeat Docker: Process Event Rate", - "hits": 0, - "description": "Dashboard to investigate unusual process event rates in a Docker container", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":14,\"i\":\"1\"},\"id\":\"ml_auditbeat_docker_process_event_rate_vis\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"ml_auditbeat_docker_process_event_rate_by_process\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":20,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"search\",\"id\":\"ml_auditbeat_docker_process_events\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_explorer.json deleted file mode 100644 index a5e13014b9fdd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/dashboard/ml_auditbeat_docker_process_explorer.json +++ /dev/null @@ -1,12 +0,0 @@ -{ -"title": "ML Auditbeat Docker: Process Explorer", -"hits": 0, -"description": "Dashboard to explore processes for a Docker container", -"panelsJSON": "[{\"embeddableConfig\": {},\"gridData\": {\"x\": 0,\"y\": 0,\"w\": 25,\"h\": 22,\"i\": \"1\"},\"id\": \"ml_auditbeat_docker_process_occurrence\",\"panelIndex\": \"1\",\"type\": \"visualization\",\"version\": \"6.6.0\"},{\"gridData\": {\"x\": 0,\"y\": 22,\"w\": 48,\"h\": 35,\"i\": \"2\"},\"version\": \"6.6.0\",\"panelIndex\": \"2\",\"type\": \"search\",\"id\": \"ml_auditbeat_docker_process_events\",\"embeddableConfig\": {}},{\"gridData\": {\"x\": 25,\"y\": 0,\"w\": 23,\"h\": 22,\"i\": \"3\"},\"version\": \"6.6.0\",\"panelIndex\": \"3\",\"type\": \"visualization\",\"id\": \"ml_auditbeat_docker_process_event_rate_by_process\",\"embeddableConfig\": {\"vis\": {\"legendOpen\": true}}}\n]", -"optionsJSON": "{\"hidePanelTitles\": false,\"useMargins\": true\n}", -"version": 1, -"timeRestore": false, -"kibanaSavedObjectMeta": { -"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"lucene\"},\"filter\": []\n}" -} -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_process_events.json deleted file mode 100644 index 6b564670fa2ab..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/search/ml_auditbeat_docker_process_events.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "title": "ML Auditbeat Docker: Process Events", - "description": "Auditbeat process events in Docker containers", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":false,\"index\":\"INDEX_PATTERN_ID\",\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_by_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_by_process.json deleted file mode 100644 index 11ab7c9b77a54..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_by_process.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "title": "ML Auditbeat Docker: Process Event Rate by Process", - "visState": "{\"title\": \"ML Auditbeat Docker: Event Rate by Process\",\"type\": \"histogram\",\"params\": {\"type\": \"histogram\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": { \"type\": \"linear\"},\"labels\": { \"show\": true, \"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": { \"type\": \"linear\", \"mode\": \"normal\"},\"labels\": { \"show\": true, \"rotate\": 0, \"filter\": false, \"truncate\": 100},\"title\": { \"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"histogram\",\"mode\": \"stacked\",\"data\": { \"label\": \"Count\", \"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"process.exe\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ml_auditbeat_docker_process_events", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_vis.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_vis.json deleted file mode 100644 index 806dde4b7f548..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_event_rate_vis.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "title": "ML Auditbeat Docker: Process Event Rate", - "visState": "{\"title\": \"ML Auditbeat Docker: Process Event Rate\",\"type\": \"line\",\"params\": {\"type\": \"line\",\"grid\": { \"categoryLines\": false, \"style\": { \"color\": \"#eee\" }},\"categoryAxes\": [ { \"id\": \"CategoryAxis-1\", \"type\": \"category\", \"position\": \"bottom\", \"show\": true, \"style\": {}, \"scale\": { \"type\": \"linear\" }, \"labels\": { \"show\": true, \"truncate\": 100 }, \"title\": {} }],\"valueAxes\": [ { \"id\": \"ValueAxis-1\", \"name\": \"LeftAxis-1\", \"type\": \"value\", \"position\": \"left\", \"show\": true, \"style\": {}, \"scale\": { \"type\": \"linear\", \"mode\": \"normal\" }, \"labels\": { \"show\": true, \"rotate\": 0, \"filter\": false, \"truncate\": 100 }, \"title\": { \"text\": \"Count\" } }],\"seriesParams\": [ { \"show\": \"true\", \"type\": \"line\", \"mode\": \"normal\", \"data\": { \"label\": \"Count\", \"id\": \"1\" }, \"valueAxis\": \"ValueAxis-1\", \"drawLinesBetweenPoints\": true, \"showCircles\": true }],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{ \"id\": \"1\", \"enabled\": true, \"type\": \"count\", \"schema\": \"metric\", \"params\": {}},{ \"id\": \"2\", \"enabled\": true, \"type\": \"date_histogram\", \"schema\": \"segment\", \"params\": { \"field\": \"@timestamp\", \"useNormalizedEsInterval\": true, \"interval\": \"auto\", \"time_zone\": \"UTC\", \"drop_partials\": false, \"customInterval\": \"2h\", \"min_doc_count\": 1, \"extended_bounds\": {} }},{ \"id\": \"3\", \"enabled\": true, \"type\": \"terms\", \"schema\": \"group\", \"params\": { \"field\": \"beat.name\", \"size\": 10, \"order\": \"desc\", \"orderBy\": \"1\", \"otherBucket\": false, \"otherBucketLabel\": \"Other\", \"missingBucket\": false, \"missingBucketLabel\": \"Missing\" }}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ml_auditbeat_docker_process_events", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_occurrence.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_occurrence.json deleted file mode 100644 index 5d093c0b03542..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/kibana/visualization/ml_auditbeat_docker_process_occurrence.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "title": "ML Auditbeat Docker: Process Occurrence (experimental)", - "visState": "{\"title\":\"ML Auditbeat Docker: Process Occurrence\",\"type\":\"vega\",\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega-lite/v2.json\\n mark: {type: \\\"point\\\"}\\n data: {\\n url: {\\n index: \\\"INDEX_PATTERN_NAME\\\"\\n body: {\\n size: 10000\\n query: {\\n bool: {\\n must: [\\n %dashboard_context-must_clause%\\n {\\n exists: {field: \\\"process.exe\\\"}\\n }\\n {\\n function_score: {\\n random_score: {seed: 10, field: \\\"_seq_no\\\"}\\n }\\n }\\n {\\n range: {\\n @timestamp: {\\n %timefilter%: true\\n }\\n }\\n }\\n ]\\n must_not: [\\n \\\"%dashboard_context-must_not_clause%\\\"\\n ]\\n }\\n }\\n script_fields: {\\n process_exe: {\\n script: {source: \\\"params['_source']['process']['exe']\\\"}\\n }\\n }\\n _source: [\\\"@timestamp\\\", \\\"process_exe\\\"]\\n }\\n }\\n format: {property: \\\"hits.hits\\\"}\\n }\\n transform: [\\n {calculate: \\\"toDate(datum._source['@timestamp'])\\\", as: \\\"time\\\"}\\n ]\\n encoding: {\\n x: {\\n field: time\\n type: temporal\\n axis: {labels: true, ticks: true, title: false},\\n timeUnit: utcyearmonthdatehoursminutes\\n }\\n y: {\\n field: fields.process_exe\\n type: ordinal\\n sort: {op: \\\"count\\\", order: \\\"descending\\\"}\\n axis: {labels: true, title: \\\"occurrence of process.exe\\\", ticks: false}\\n }\\n }\\n config: {\\n style: {\\n point: {filled: true}\\n }\\n }\\n}\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json deleted file mode 100644 index 8f5e61d1b765c..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/logo.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAgMAAAAOFJJnAAAADFBMVEUAAAAAAAABf3X////ZaOWRAAAAAXRSTlMAQObYZgAAAAFiS0dEAxEMTPIAAAAfSURBVBjTYwgNDXVqBBIMcEYAAwNTAwMD60hkYIQGAIQRIolX2EV0AAAAAElFTkSuQmCC", - "height": 32, - "width": 32 -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json deleted file mode 100644 index 70227f40f3fec..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/manifest.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "id": "auditbeat_process_docker", - "title": "Auditbeat Docker Processes", - "description": "Detect unusual processes in Docker containers", - "type": "Auditbeat data", - "logoFile": "logo.json", - "defaultIndexPattern": "auditbeat-*", - "query": { - "bool": { - "must": [ - { - "exists": { - "field": "auditd.summary" - } - }, - { - "exists": { - "field": "docker.container.id" - } - } - ] - } - }, - "jobs": [ - { - "id": "docker_high_count_process_events", - "file": "docker_high_count_process_events.json" - }, - { - "id": "docker_rare_process_activity", - "file": "docker_rare_process_activity.json" - } - ], - "datafeeds": [ - { - "id": "datafeed-docker_high_count_process_events", - "file": "datafeed_docker_high_count_process_events.json", - "job_id": "docker_high_count_process_events" - }, - { - "id": "datafeed-docker_rare_process_activity", - "file": "datafeed_docker_rare_process_activity.json", - "job_id": "docker_rare_process_activity" - } - ], - "kibana": { - "dashboard": [ - { - "id": "ml_auditbeat_docker_process_event_rate", - "file": "ml_auditbeat_docker_process_event_rate.json" - }, - { - "id": "ml_auditbeat_docker_process_explorer", - "file": "ml_auditbeat_docker_process_explorer.json" - } - ], - "search": [ - { - "id": "ml_auditbeat_docker_process_events", - "file": "ml_auditbeat_docker_process_events.json" - } - ], - "visualization": [ - { - "id": "ml_auditbeat_docker_process_event_rate_by_process", - "file": "ml_auditbeat_docker_process_event_rate_by_process.json" - }, - { - "id": "ml_auditbeat_docker_process_event_rate_vis", - "file": "ml_auditbeat_docker_process_event_rate_vis.json" - }, - { - "id": "ml_auditbeat_docker_process_occurrence", - "file": "ml_auditbeat_docker_process_occurrence.json" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_process_events.json deleted file mode 100644 index 3757877c7c7e9..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_high_count_process_events.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "must": [ - { - "match": { - "event.type": "syscall" - } - }, - { - "exists": { - "field":"docker.container.id" - } - } - ] - } - }, - "scroll_size": 1000, - "chunking_config": { - "mode": "auto" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_rare_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_rare_process_activity.json deleted file mode 100644 index cd559af1851e9..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/datafeed_docker_rare_process_activity.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "must": [ - { - "match": { - "event.type": "syscall" - } - }, - { - "exists": { - "field": "docker.container.id" - } - } - ] - } - }, - "scroll_size": 1000, - "chunking_config": { - "mode": "auto" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_process_events.json deleted file mode 100644 index 2c1548d27d432..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_high_count_process_events.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "job_type": "anomaly_detector", - "description": "Auditbeat: Detect Unusual Increases in Process Rates in Docker Containers", - "groups": ["auditbeat"], - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count partitionfield=\"docker.container.id\"", - "function": "high_count", - "partition_field_name": "docker.container.id" - } - ], - "influencers": [ - "docker.container.id", - "process.exe" - ] - }, - "analysis_limits": { - "model_memory_limit": "256mb", - "categorization_examples_limit": 4 - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "time_range": "1h", - "url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))" - }, - { - "url_name": "Process Rate", - "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_docker_process_event_rate?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_rare_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_rare_process_activity.json deleted file mode 100644 index 9791221e942dd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_docker/ml/docker_rare_process_activity.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "job_type": "anomaly_detector", - "description": "Auditbeat: Detect Rare Process Executions in Docker Containers", - "groups": ["auditbeat"], - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "function": "rare", - "by_field_name": "process.exe", - "partition_field_name": "docker.container.id" - } - ], - "influencers": [ - "docker.container.id", - "process.exe" - ] - }, - "analysis_limits": { - "model_memory_limit": "256mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "time_range": "1h", - "url_value": "kibana#/discover?_g=(time:(from:'$earliest$',mode:absolute,to:'$latest$'))&_a=(index:'INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022 AND process.exe:\u0022$process.exe$\u0022\u0027))" - }, - { - "url_name": "Process Explorer", - "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_docker_process_explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027docker.container.id:\u0022$docker.container.id$\u0022\u0027))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_event_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_event_rate.json deleted file mode 100644 index c964b99032c74..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_event_rate.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "title": "ML Auditbeat Hosts: Process Event Rate", - "hits": 0, - "description": "Dashboard to investigate unusual process event rates on a host.", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":14,\"i\":\"1\"},\"id\":\"ml_auditbeat_hosts_process_event_rate_vis\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":15,\"i\":\"2\"},\"id\":\"ml_auditbeat_hosts_process_event_rate_by_process\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":20,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_process_events\",\"embeddableConfig\":{}}]", - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_explorer.json deleted file mode 100644 index 22f50ca7ea751..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/dashboard/ml_auditbeat_hosts_process_explorer.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "title": "ML Auditbeat Hosts: Process Explorer", - "hits": 0, - "description": "Dashboard to explore processes for a host", - "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":25,\"h\":22,\"i\":\"1\"},\"id\":\"ml_auditbeat_hosts_process_occurrence\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.6.0\"},{\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":35,\"i\":\"2\"},\"version\":\"6.6.0\",\"panelIndex\":\"2\",\"type\":\"search\",\"id\":\"ml_auditbeat_hosts_process_events\",\"embeddableConfig\":{}},{\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":22,\"i\":\"3\"},\"version\":\"6.6.0\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"id\":\"ml_auditbeat_hosts_process_event_rate_by_process\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}}}\n]", - "optionsJSON": "{\"hidePanelTitles\": false,\"useMargins\": true\n}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"lucene\"},\"filter\": []}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_process_events.json deleted file mode 100644 index 09f5a96af2eac..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/search/ml_auditbeat_hosts_process_events.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "title": "ML Auditbeat Hosts: Process Events", - "description": "Auditbeat process events on host machines", - "hits": 0, - "columns": [ - "_source" - ], - "sort": [ - "@timestamp", - "desc" - ], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_by_process.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_by_process.json deleted file mode 100644 index bc2cc622d9ddc..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_by_process.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "title": "ML Auditbeat Hosts: Process Event Rate by Process", - "visState": "{\"title\": \"ML Auditbeat Hosts: Event Rate by Process\",\"type\": \"histogram\",\"params\": {\"type\": \"histogram\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"histogram\",\"mode\": \"stacked\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"process.exe\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}", - "uiStateJSON": "{}", - "description": "", - "savedSearchId": "ml_auditbeat_hosts_process_events", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_vis.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_vis.json deleted file mode 100644 index 126ec4cebc496..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_event_rate_vis.json +++ /dev/null @@ -1,11 +0,0 @@ -{ -"title": "ML Auditbeat Hosts: Process Event Rate", -"visState":"{\"title\":\"ML Auditbeat Hosts: Process Event Rate\",\"type\": \"line\",\"params\": {\"type\": \"line\",\"grid\": {\"categoryLines\": false,\"style\": {\"color\": \"#eee\"}},\"categoryAxes\": [{\"id\": \"CategoryAxis-1\",\"type\": \"category\",\"position\": \"bottom\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\"},\"labels\": {\"show\": true,\"truncate\": 100},\"title\": {}}],\"valueAxes\": [{\"id\": \"ValueAxis-1\",\"name\": \"LeftAxis-1\",\"type\": \"value\",\"position\": \"left\",\"show\": true,\"style\": {},\"scale\": {\"type\": \"linear\",\"mode\": \"normal\"},\"labels\": {\"show\": true,\"rotate\": 0,\"filter\": false,\"truncate\": 100},\"title\": {\"text\": \"Count\"}}],\"seriesParams\": [{\"show\": \"true\",\"type\": \"line\",\"mode\": \"normal\",\"data\": {\"label\": \"Count\",\"id\": \"1\"},\"valueAxis\": \"ValueAxis-1\",\"drawLinesBetweenPoints\": true,\"showCircles\": true}],\"addTooltip\": true,\"addLegend\": true,\"legendPosition\": \"right\",\"times\": [],\"addTimeMarker\": false},\"aggs\": [{\"id\": \"1\",\"enabled\": true,\"type\": \"count\",\"schema\": \"metric\",\"params\": {}},{\"id\": \"2\",\"enabled\": true,\"type\": \"date_histogram\",\"schema\": \"segment\",\"params\": {\"field\": \"@timestamp\",\"useNormalizedEsInterval\": true,\"interval\": \"auto\",\"time_zone\": \"UTC\",\"drop_partials\": false,\"customInterval\": \"2h\",\"min_doc_count\": 1,\"extended_bounds\": {}}},{\"id\": \"3\",\"enabled\": true,\"type\": \"terms\",\"schema\": \"group\",\"params\": {\"field\": \"beat.name\",\"size\": 10,\"order\": \"desc\",\"orderBy\": \"1\",\"otherBucket\": false,\"otherBucketLabel\": \"Other\",\"missingBucket\": false,\"missingBucketLabel\": \"Missing\"}}]}", -"uiStateJSON": "{}", -"description": "", -"savedSearchId": "ml_auditbeat_hosts_process_events", -"version": 1, -"kibanaSavedObjectMeta": { -"searchSourceJSON": "{\"query\": {\"query\": \"\",\"language\": \"kuery\"},\"filter\": []}" -} -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_occurrence.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_occurrence.json deleted file mode 100644 index f74ca609fc8ca..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/kibana/visualization/ml_auditbeat_hosts_process_occurrence.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "title": "ML Auditbeat Hosts: Process Occurrence (experimental)", - "visState": "{\"title\":\"ML Auditbeat Hosts: Process Occurrence\",\"type\":\"vega\",\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega-lite/v2.json\\n mark: {type: \\\"point\\\"}\\n data: {\\n url: {\\n index: \\\"INDEX_PATTERN_NAME\\\"\\n body: {\\n size: 10000\\n query: {\\n bool: {\\n must: [\\n %dashboard_context-must_clause%\\n {\\n exists: {field: \\\"process.exe\\\"}\\n }\\n {\\n function_score: {\\n random_score: {seed: 10, field: \\\"_seq_no\\\"}\\n }\\n }\\n {\\n range: {\\n @timestamp: {\\n %timefilter%: true\\n }\\n }\\n }\\n ]\\n must_not: [\\n \\\"%dashboard_context-must_not_clause%\\\"\\n ]\\n }\\n }\\n script_fields: {\\n process_exe: {\\n script: {source: \\\"params['_source']['process']['exe']\\\"}\\n }\\n }\\n _source: [\\\"@timestamp\\\", \\\"process_exe\\\"]\\n }\\n }\\n format: {property: \\\"hits.hits\\\"}\\n }\\n transform: [\\n {calculate: \\\"toDate(datum._source['@timestamp'])\\\", as: \\\"time\\\"}\\n ]\\n encoding: {\\n x: {\\n field: time\\n type: temporal\\n axis: {labels: true, ticks: true, title: false},\\n timeUnit: utcyearmonthdatehoursminutes\\n }\\n y: {\\n field: fields.process_exe\\n type: ordinal\\n sort: {op: \\\"count\\\", order: \\\"descending\\\"}\\n axis: {labels: true, title: \\\"occurrence of process.exe\\\", ticks: false}\\n }\\n }\\n config: {\\n style: {\\n point: {filled: true}\\n }\\n }\\n}\"},\"aggs\":[]}", - "uiStateJSON": "{}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":true,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"docker.container.id\",\"value\":\"exists\"},\"exists\":{\"field\":\"docker.container.id\"},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"INDEX_PATTERN_ID\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.type\",\"value\":\"syscall\",\"params\":{\"query\":\"syscall\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.type\":{\"query\":\"syscall\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json deleted file mode 100644 index 8f5e61d1b765c..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/logo.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAgMAAAAOFJJnAAAADFBMVEUAAAAAAAABf3X////ZaOWRAAAAAXRSTlMAQObYZgAAAAFiS0dEAxEMTPIAAAAfSURBVBjTYwgNDXVqBBIMcEYAAwNTAwMD60hkYIQGAIQRIolX2EV0AAAAAElFTkSuQmCC", - "height": 32, - "width": 32 -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json deleted file mode 100644 index 925555511f067..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/manifest.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "id": "auditbeat_process_hosts", - "title": "Auditbeat Host Processes", - "description": "Detect unusual processes on hosts", - "type": "Auditbeat data", - "logoFile": "logo.json", - "defaultIndexPattern": "auditbeat-*", - "query": { - "bool": { - "must": [ - { - "exists": { - "field": "auditd.summary" - } - } - ], - "must_not": [ - { - "exists": { - "field": "docker.container.id" - } - } - ] - } - }, - "jobs": [ - { - "id": "hosts_high_count_process_events", - "file": "hosts_high_count_process_events.json" - }, - { - "id": "hosts_rare_process_activity", - "file": "hosts_rare_process_activity.json" - } - ], - "datafeeds": [ - { - "id": "datafeed-hosts_high_count_process_events", - "file": "datafeed_hosts_high_count_process_events.json", - "job_id": "hosts_high_count_process_events" - }, - { - "id": "datafeed-hosts_rare_process_activity", - "file": "datafeed_hosts_rare_process_activity.json", - "job_id": "hosts_rare_process_activity" - } - ], - "kibana": { - "dashboard": [ - { - "id": "ml_auditbeat_hosts_process_event_rate", - "file": "ml_auditbeat_hosts_process_event_rate.json" - }, - { - "id": "ml_auditbeat_hosts_process_explorer", - "file": "ml_auditbeat_hosts_process_explorer.json" - } - ], - "search": [ - { - "id": "ml_auditbeat_hosts_process_events", - "file": "ml_auditbeat_hosts_process_events.json" - } - ], - "visualization": [ - { - "id": "ml_auditbeat_hosts_process_event_rate_by_process", - "file": "ml_auditbeat_hosts_process_event_rate_by_process.json" - }, - { - "id": "ml_auditbeat_hosts_process_event_rate_vis", - "file": "ml_auditbeat_hosts_process_event_rate_vis.json" - }, - { - "id": "ml_auditbeat_hosts_process_occurrence", - "file": "ml_auditbeat_hosts_process_occurrence.json" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_process_events.json deleted file mode 100644 index 111f08784751c..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_high_count_process_events.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query":{ - "bool": { - "must":[ - { - "match": { - "event.type": "syscall" - } - } - ], - "must_not": [ - { - "exists": { - "field": "docker.container.id" - } - } - ] - } - }, - "scroll_size": 1000, - "chunking_config": { - "mode": "auto" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_rare_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_rare_process_activity.json deleted file mode 100644 index 3f222f7a0616f..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/datafeed_hosts_rare_process_activity.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query":{ - "bool": { - "must":[ - { - "match": { - "event.type": "syscall" - } - } - ], - "must_not": [ - { - "exists": { - "field": "docker.container.id" - } - } - ] - } -}, - "scroll_size": 1000, - "chunking_config": { - "mode": "auto" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_process_events.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_process_events.json deleted file mode 100644 index 0ea040a27044d..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_high_count_process_events.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "job_type": "anomaly_detector", - "description": "Auditbeat Hosts: Detect Unusual Increases in Host Process Rate", - "groups": ["auditbeat"], - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count partitionfield=\"beat.name\"", - "function": "high_count", - "partition_field_name": "beat.name" - } - ], - "influencers": [ - "beat.name", - "process.exe" - ] - }, - "analysis_limits": { - "model_memory_limit": "256mb", - "categorization_examples_limit": 4 - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "time_range": "1h", - "url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))" - }, - { - "url_name": "Process Rate", - "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_hosts_process_event_rate?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_rare_process_activity.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_rare_process_activity.json deleted file mode 100644 index ae80bd4632291..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/auditbeat_process_hosts/ml/hosts_rare_process_activity.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "job_type": "anomaly_detector", - "description": "Auditbeat Hosts: Detect Rare Process Executions on Hosts", - "groups": ["auditbeat"], - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "function": "rare", - "by_field_name": "process.exe", - "partition_field_name": "beat.name" - } - ], - "influencers": [ - "beat.name", - "process.exe" - ] - }, - "analysis_limits": { - "model_memory_limit": "256mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "time_range": "1h", - "url_value": "kibana#/discover?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(index:\u0027INDEX_PATTERN_ID\u0027,query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022 AND process.exe:\u0022$process.exe$\u0022\u0027))" - }, - { - "url_name": "Process Explorer", - "time_range": "1h", - "url_value": "kibana#/dashboard/ml_auditbeat_hosts_process_explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(filters:!(),query:(language:lucene,query:\u0027beat.name:\u0022$beat.name$\u0022\u0027))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer.json deleted file mode 100644 index dd8f285fcbbdc..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "hits": 0, - "timeRestore": false, - "description": "", - "title": "ML Nginx Access Remote IP Count Explorer", - "uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "panelsJSON": "[{\"size_x\":6,\"size_y\":3,\"panelIndex\":1,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Remote-IP-Timechart\",\"col\":1,\"row\":1},{\"size_x\":6,\"size_y\":3,\"panelIndex\":2,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Response-Code-Timechart\",\"col\":7,\"row\":1},{\"size_x\":6,\"size_y\":3,\"panelIndex\":3,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Top-Remote-IPs-Table\",\"col\":1,\"row\":4},{\"size_x\":6,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Map\",\"col\":7,\"row\":4},{\"size_x\":12,\"size_y\":9,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Top-URLs-Table\",\"col\":1,\"row\":7}]", - "optionsJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Remote-IP-URL-Explorer.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Remote-IP-URL-Explorer.json deleted file mode 100644 index 5057502a1ee8e..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/dashboard/ML-Nginx-Remote-IP-URL-Explorer.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "hits": 0, - "timeRestore": false, - "description": "", - "title": "ML Nginx Access Remote IP URL Explorer", - "uiStateJSON": "{\"P-2\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "panelsJSON": "[{\"col\":1,\"id\":\"ML-Nginx-Access-Unique-Count-URL-Timechart\",\"panelIndex\":1,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ML-Nginx-Access-Response-Code-Timechart\",\"panelIndex\":2,\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"ML-Nginx-Access-Top-Remote-IPs-Table\",\"panelIndex\":3,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"ML-Nginx-Access-Map\",\"panelIndex\":4,\"row\":4,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":8,\"panelIndex\":5,\"type\":\"visualization\",\"id\":\"ML-Nginx-Access-Top-URLs-Table\",\"col\":1,\"row\":7}]", - "optionsJSON": "{}", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}],\"highlightAll\":true,\"version\":true}" - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/search/ML-Filebeat-Nginx-Access.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/search/ML-Filebeat-Nginx-Access.json deleted file mode 100644 index aac94e802dacc..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/search/ML-Filebeat-Nginx-Access.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "sort": [ - "@timestamp", - "desc" - ], - "hits": 0, - "description": "Filebeat Nginx Access Data", - "title": "ML Nginx Access Data", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"INDEX_PATTERN_ID\",\"query\":{\"query_string\":{\"query\":\"_exists_:nginx.access\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}" - }, - "columns": [ - "_source" - ] -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Map.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Map.json deleted file mode 100644 index f341e7f61776d..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Map.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"nginx.access.geoip.location\"},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":16,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[15,5],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"ML Nginx Access Map\",\"type\":\"tile_map\"}", - "description": "", - "title": "ML Nginx Access Map", - "uiStateJSON": "{\n \"mapCenter\": [\n 12.039320557540572,\n -0.17578125\n ]\n}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Remote-IP-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Remote-IP-Timechart.json deleted file mode 100644 index 0635b3ddd5d17..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Remote-IP-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Nginx Access Remote IP Timechart\",\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 5 minutes\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"nginx.access.remote_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Nginx Access Remote IP Timechart", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Response-Code-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Response-Code-Timechart.json deleted file mode 100644 index 7266db3ea83ee..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Response-Code-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Nginx Access Response Code Timechart\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"nginx.access.response_code\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Nginx Access Response Code Timechart", - "uiStateJSON": "{\n \"vis\": {\n \"colors\": {\n \"200\": \"#7EB26D\",\n \"404\": \"#614D93\"\n }\n }\n}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-Remote-IPs-Table.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-Remote-IPs-Table.json deleted file mode 100644 index 76a0ab56a9f83..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-Remote-IPs-Table.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Nginx Access Top Remote IPs Table\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"nginx.access.remote_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Nginx Access Top Remote IPs Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-URLs-Table.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-URLs-Table.json deleted file mode 100644 index 2071d8a9c092f..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Top-URLs-Table.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Nginx Access Top URLs Table\",\"type\":\"table\",\"params\":{\"perPage\":100,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"nginx.access.url\",\"size\":1000,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", - "title": "ML Nginx Access Top URLs Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Unique-Count-URL-Timechart.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Unique-Count-URL-Timechart.json deleted file mode 100644 index d663f45a5ff31..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/kibana/visualization/ML-Nginx-Access-Unique-Count-URL-Timechart.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "visState": "{\"title\":\"ML Nginx Access Unique Count URL Timechart\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per day\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Unique count of nginx.access.url\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Unique count of nginx.access.url\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"nginx.access.url\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", - "description": "", - "title": "ML Nginx Access Unique Count URL Timechart", - "uiStateJSON": "{}", - "version": 1, - "savedSearchId": "ML-Filebeat-Nginx-Access", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - } -} \ No newline at end of file diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/logo.json deleted file mode 100644 index 9372c36cbfa6d..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/logo.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "src": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAlCAMAAAAUaRt1AAACPVBMVEUAcQAAdgAAfQAAfgAAfwAAgAAAggAAhAAAhQAAhgAAhwIAhwUAiAcAiAoAiQkAiQwAiQ8Aig4AihEAixMAixUAixcAjBYAjBcAjBkAjRgAjRoAjRwAjh0Ajh8Ajx8AjyAAkCIAkCMAkSMAkSUAkSYAkiYAkicAkigAkikAkykAkyoAkywAlCsAlC0AlS4AlTAAli8AljEAljIAlzIAlzMAlzUAmDQAmDYAmDcAmTcAmTgAmToAmTsAmjgAmjkAmjsEmToLmz0TnD4TnEAYnEAanUEcnkMfnkMhn0Qhn0UnoUcroksvo0svo0w4pVI+qFY+qFdEq1xFq1xIrF5KrF9KrWFLrWBNrWFNrmJPr2NTsWhUsGdVsWdXsWlYsmtZs2xbtW5puXhvvH1vvH5zv4N2v4R3wId3wYd6w4p/w4uAw4uAxIyBxIyBxY6CxY6ExY+FxpCHyJSJyZaMypmOy5uQypmRy5uSzJyUzZ2b0aed0aig06yj06ul1K2p1rCq1rGs2LWu2reu2rix2rex3Ly84MS94MO+4MO+4cS+4ca/4sfB4cbC48nJ5c3L5s7L5s/M59DM6NLN6NLO6NLO6dXQ6tbR69jU69bY7t7Z7t3Z7t7a79/b8OHc8OHe8OLf8ePh8OTh8uXm9Oro8+no9Ovp9Orp9ezq9ezq9u3r9u3s9e3s9e/u9e/u9/Hv+PPw9/Lx+PPy+fTy+fXz+fXz+vb0+vb3+/n3/Pn4/Pr5+/n6/Pr9/v3+/v7+//7///+8pzoSAAACRElEQVR42nXU91/TQBQA8CiUpli4po22jaVNRevosulLzgQXuAruiVi3uPceqKgI4sK6994b9wD927ykkRJI3g/Ju8v3k1zu7h311xCPly58YOwxgE/7AiGe29NpBU6nXQmME+74yW4zcGMBimAggSNo3rV+4FUjG5BE0EKUgp51zwzgd1Mlm5KgJySB5Y/8KIALdWgMBkPgKJpxVgf3Vrt4LMbjUAgxERdxmFl5h4DP2/1+kIVSjqMjiv58opfl0DgM3JCNX6hZZUkMac/ajovbOC4vJO/M8x1ZBoM0FtVSUfXjzqz6uTZHhayCmO82aVUHSCpHqIxA7iUHtBE327Sxhmp+kcaKQSqemgf2Xfmf3lGUFgH48e9IXo96g536tCy3yQRUvSHpElPQPc2uWIIrr8nleRApVuDQdPUdOTo4wgKcodar4nixb5I5aC8deEwVmwdUvTUFbYOH0pdUMafkozlwiyjwlCTfaq9agORk+5Qukr18ZAVAsTVo82EJRCjaqoNFqO9atBMAUrS42fiGwmrmGAJArqBzGsjqq6ktcFk96TlIqxYUxN8krfdCOL8fZjuThHjWtOwfPkrfcO6RW1qO1rEy4FR5hvq6yceBDE6nY/T/LalU0k6Hb4Ikct4NnWRX313FhDGk0tArUoKIh7mW3dLr4lzGFe1bFzFXTWuhsn428axgrKzQ4e+G2nzR6DHW5pN+1X19fk91l8+9bHY+/DmVYhIYJ92xE11WJ8xeLsT7d3+wOmFIPGxYfN/Y8w+Jrert1P9yBgAAAABJRU5ErkJggg==", - "height": 25, - "width": 120 -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/manifest.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/manifest.json deleted file mode 100644 index 2ba45e0279526..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/manifest.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "id": "nginx", - "title": "Filebeat NGINX", - "description": "Find unusual activity in NGINX web access logs.", - "type": "Web Access Logs", - "logoFile": "logo.json", - "defaultIndexPattern": "filebeat-*", - "query": { - "bool": { - "filter": [ - { - "term": { - "fileset.module": "nginx" - } - }, - { - "term": { - "fileset.name": "access" - } - }, - { - "exists": { - "field": "nginx.access.remote_ip" - } - }, - { - "exists": { - "field": "nginx.access.url" - } - }, - { - "exists": { - "field": "nginx.access.response_code" - } - } - ] - } - }, - "jobs": [ - { - "id": "visitor_rate", - "file": "visitor_rate.json" - }, - { - "id": "response_code", - "file": "response_code.json" - }, - { - "id": "remote_ip_url_count", - "file": "remote_ip_url_count.json" - }, - { - "id": "remote_ip_request_rate", - "file": "remote_ip_request_rate.json" - }, - { - "id": "low_request_rate", - "file": "low_request_rate.json" - } - ], - "datafeeds": [ - { - "id": "datafeed-visitor_rate", - "file": "datafeed_visitor_rate.json", - "job_id": "visitor_rate" - }, - { - "id": "datafeed-response_code", - "file": "datafeed_response_code.json", - "job_id": "response_code" - }, - { - "id": "datafeed-remote_ip_url_count", - "file": "datafeed_remote_ip_url_count.json", - "job_id": "remote_ip_url_count" - }, - { - "id": "datafeed-remote_ip_request_rate", - "file": "datafeed_remote_ip_request_rate.json", - "job_id": "remote_ip_request_rate" - }, - { - "id": "datafeed-low_request_rate", - "file": "datafeed_low_request_rate.json", - "job_id": "low_request_rate" - } - ], - "kibana": { - "dashboard": [ - { - "id": "ML-Nginx-Access-Remote-IP-Count-Explorer", - "file": "ML-Nginx-Access-Remote-IP-Count-Explorer.json" - }, - { - "id": "ML-Nginx-Remote-IP-URL-Explorer", - "file": "ML-Nginx-Remote-IP-URL-Explorer.json" - } - ], - "search": [ - { - "id": "ML-Filebeat-Nginx-Access", - "file": "ML-Filebeat-Nginx-Access.json" - } - ], - "visualization": [ - { - "id": "ML-Nginx-Access-Map", - "file": "ML-Nginx-Access-Map.json" - }, - { - "id": "ML-Nginx-Access-Remote-IP-Timechart", - "file": "ML-Nginx-Access-Remote-IP-Timechart.json" - }, - { - "id": "ML-Nginx-Access-Response-Code-Timechart", - "file": "ML-Nginx-Access-Response-Code-Timechart.json" - }, - { - "id": "ML-Nginx-Access-Top-Remote-IPs-Table", - "file": "ML-Nginx-Access-Top-Remote-IPs-Table.json" - }, - { - "id": "ML-Nginx-Access-Top-URLs-Table", - "file": "ML-Nginx-Access-Top-URLs-Table.json" - }, - { - "id": "ML-Nginx-Access-Unique-Count-URL-Timechart", - "file": "ML-Nginx-Access-Unique-Count-URL-Timechart.json" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_low_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_low_request_rate.json deleted file mode 100644 index 755514d217a61..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_low_request_rate.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "nginx" } }, - { "term": { "fileset.name": "access" } } - ] - } - }, - "aggregations": { - "buckets": { - "date_histogram": { - "field": "@timestamp", - "interval": 900000, - "offset": 0, - "order": { - "_key": "asc" - }, - "keyed": false, - "min_doc_count": 0 - }, - "aggregations": { - "@timestamp": { - "max": { - "field": "@timestamp" - } - } - } - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_request_rate.json deleted file mode 100644 index cacf7742287cd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_request_rate.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "nginx" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_url_count.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_url_count.json deleted file mode 100644 index cacf7742287cd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_remote_ip_url_count.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "nginx" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_response_code.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_response_code.json deleted file mode 100644 index cacf7742287cd..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_response_code.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "nginx" } }, - { "term": { "fileset.name": "access" } } - ] - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_visitor_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_visitor_rate.json deleted file mode 100644 index 62163a550f14b..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/datafeed_visitor_rate.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "job_id": "JOB_ID", - "indexes": [ - "INDEX_PATTERN_NAME" - ], - "query": { - "bool": { - "filter": [ - { "term": { "fileset.module": "nginx" } }, - { "term": { "fileset.name": "access" } } - ] - } - }, - "aggregations": { - "buckets": { - "date_histogram": { - "field": "@timestamp", - "interval": 900000, - "offset": 0, - "order": { - "_key": "asc" - }, - "keyed": false, - "min_doc_count": 0 - }, - "aggregations": { - "@timestamp": { - "max": { - "field": "@timestamp" - } - }, - "dc_remote_ips": { - "cardinality": { - "field": "nginx.access.remote_ip" - } - } - } - } - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/low_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/low_request_rate.json deleted file mode 100644 index 2d09ad0d8d206..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/low_request_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["nginx"], - "description": "Nginx Access Logs: Detect low request rate", - "analysis_config" : { - "bucket_span": "15m", - "summary_count_field_name": "doc_count", - "detectors": [ - { - "detector_description": "nginx_access_low_request_rate", - "function": "low_count" - } - ], - "influencers": [] - }, - "analysis_limits": { - "model_memory_limit": "10mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Nginx-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!(),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_request_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_request_rate.json deleted file mode 100644 index 618a5cdd45156..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_request_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["nginx"], - "description": "Nginx Access Logs: Detect unusual remote_ips - high request rates", - "analysis_config" : { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "nginx_access_remote_ip_high_count", - "function": "high_count", - "over_field_name": "nginx.access.remote_ip" - } - ], - "influencers": [ - "nginx.access.remote_ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Count Explorer", - "url_value": "kibana#/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.remote_ip,negate:!f,type:phrase,value:\u0027$nginx.access.remote_ip$\u0027),query:(match:(nginx.access.remote_ip:(query:\u0027$nginx.access.remote_ip$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Nginx-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.remote_ip,negate:!f,type:phrase,value:\u0027$nginx.access.remote_ip$\u0027),query:(match:(nginx.access.remote_ip:(query:\u0027$nginx.access.remote_ip$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_url_count.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_url_count.json deleted file mode 100644 index 1c4f0e6ff5747..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/remote_ip_url_count.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "groups": ["nginx"], - "description": "Nginx Access Logs: Detect unusual remote_ips - high distinct count of urls", - "analysis_config" : { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "nginx_access_remote_ip_high_dc_url", - "function": "high_distinct_count", - "field_name": "nginx.access.url", - "over_field_name": "nginx.access.remote_ip" - } - ], - "influencers": [ - "nginx.access.remote_ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "URL Explorer", - "url_value": "kibana#/dashboard/ML-Nginx-Remote-IP-URL-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.remote_ip,negate:!f,type:phrase,value:\u0027$nginx.access.remote_ip$\u0027),query:(match:(nginx.access.remote_ip:(query:\u0027$nginx.access.remote_ip$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Nginx-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.remote_ip,negate:!f,type:phrase,value:\u0027$nginx.access.remote_ip$\u0027),query:(match:(nginx.access.remote_ip:(query:\u0027$nginx.access.remote_ip$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/response_code.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/response_code.json deleted file mode 100644 index c076d95aa2c11..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/response_code.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "groups": ["nginx"], - "description": "Nginx Access Logs: Detect unusual response_code rates", - "analysis_config" : { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "nginx_access_response_code_rate", - "function": "count", - "partition_field_name": "nginx.access.response_code" - } - ], - "influencers": [ - "nginx.access.response_code", - "nginx.access.remote_ip" - ] - }, - "analysis_limits": { - "model_memory_limit": "100mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Count Explorer", - "url_value": "kibana#/dashboard/ML-Nginx-Access-Remote-IP-Count-Explorer?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.response_code,negate:!f,type:phrase,value:\u0027$nginx.access.response_code$\u0027),query:(match:(nginx.access.response_code:(query:\u0027$nginx.access.response_code$\u0027,type:phrase))))),query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)))" - }, - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Nginx-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:nginx.access.response_code,negate:!f,type:phrase,value:\u0027$nginx.access.response_code$\u0027),query:(match:(nginx.access.response_code:(query:\u0027$nginx.access.response_code$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027_exists_:nginx.access\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -} diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/visitor_rate.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/visitor_rate.json deleted file mode 100644 index a9861accd6e36..0000000000000 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/nginx/ml/visitor_rate.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "groups": ["nginx"], - "description": "Nginx Access Logs: Detect unusual visitor rate", - "analysis_config" : { - "bucket_span": "15m", - "summary_count_field_name": "dc_remote_ips", - "detectors": [ - { - "detector_description": "nginx_access_visitor_rate", - "function": "non_zero_count" - } - ], - "influencers": [] - }, - "analysis_limits": { - "model_memory_limit": "10mb" - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "model_plot_config": { - "enabled": true - }, - "custom_settings": { - "custom_urls": [ - { - "url_name": "Raw Data", - "url_value": "kibana#/discover/ML-Filebeat-Nginx-Access?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))&_a=(columns:!(_source),filters:!(),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(query_string:(analyze_wildcard:!t,query:\u0027*\u0027)),sort:!(\u0027@timestamp\u0027,desc))" - } - ] - } -}