Merge pull request #129 from JupiterOne/anomaly-detection-beta

APP-13948: Add Device Anomaly Detection Beta board

README.md

@@ -16,6 +16,7 @@ List of dashboards:
 - [Data Breach Cost](src/boards/data-breach-cost/)
 - [Data Protection](src/boards/data-protection/)
 - [Device Management](src/boards/device-management/)
+- [Device Anomaly Detection (Beta)](src/boards/device-anomaly-detection-beta/)
 - [GCP Compute Projects and Instances](src/boards/gcp-compute/)
 - [GCP IAM](src/boards/gcp-iam/)
 - [GDPR Data Locations](src/boards/gdpr-data-locations/)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jupiterone/insights-dashboards",
-  "version": "4.0.3",
+  "version": "4.1.0",
   "description": "JupiterOne Insights Dashboards",
   "repository": {
     "type": "git",

src/boards/device-anomaly-detection-beta/board.json

@@ -0,0 +1,150 @@
+{
+  "widgets": [
+    {
+      "noResultMessage": "No unified_device entities were found.",
+      "questionId": "da1bee84-6767-4229-a26d-49780bd3af60",
+      "description": "",
+      "id": "50204d5b-dcbf-48fc-8b4d-d923675d5570",
+      "title": "Unified Devices",
+      "type": "number",
+      "config": {
+        "queries": [
+          {
+            "name": "Query 1",
+            "query": "FIND unified_device as d RETURN COUNT(d) as value",
+            "id": "1dacff4e-8cb0-4a64-b8de-1b931b4e056c"
+          }
+        ],
+        "settings": {
+          "number": {
+            "trendDataIsEnabled": true
+          }
+        }
+      }
+    },
+    {
+      "id": "1060bb89-dea7-41bd-b4b1-a43224abee80",
+      "title": "",
+      "type": "markdown",
+      "config": {
+        "queries": [],
+        "settings": {
+          "markdown": {
+            "text": "Welcome to the Device Anomaly Detection Beta!  We appreciate your willingness to give us feedback to help make JupiterOne better for everyone.\n\nThis dashboard highlights the data and insights produced by the anomaly detection system (powered by JupiterOne AI).\nThe system scans the `unified_device` entities in your account, and uses advanced machine learning\nalgorithms to detect anomalies in that data set.  It combines the raw property values with computed properties\nthat augment the data with overall graph context.  When an anomaly is found, it is persisted to the graph as\na `device_anomaly` entity, and related to the `unified_device` entity it describes."
+          }
+        }
+      }
+    },
+    {
+      "noResultMessage": "No anomalies found in your device inventory.",
+      "questionId": "39a1b9f7-a381-40c7-9d37-865a78f4b12f",
+      "description": "",
+      "id": "5438988b-53a0-4c01-985f-45bfe8b6b0ac",
+      "title": "Anomalies Identified",
+      "type": "number",
+      "config": {
+        "queries": [
+          {
+            "name": "Query 1",
+            "query": "FIND device_anomaly as d RETURN COUNT(d) as value",
+            "id": "3ca282cc-d61c-48ba-a80e-c68b571f467a"
+          }
+        ],
+        "settings": {
+          "number": {
+            "trendDataIsEnabled": true
+          }
+        }
+      }
+    },
+    {
+      "description": "This widget sorts the device_anomaly entities by their anomalyScore, which indicates the overall degree of anomalousness.",
+      "id": "4dbda07a-8db1-4e4e-a6d1-ab8bc3bc2759",
+      "title": "Most Anomalous Devices",
+      "type": "table",
+      "config": {
+        "queries": [
+          {
+            "name": "Query 1",
+            "query": "FIND device_anomaly (THAT HAS unified_device as device)? \nRETURN device_anomaly.displayName as anomalyName, device_anomaly.anomalyScore as anomalyScore, device.displayName  as deviceName\nORDER BY device_anomaly.anomalyScore DESC\n"
+          }
+        ],
+        "settings": {
+          "table": {}
+        }
+      }
+    },
+    {
+      "description": "This widget shows the entire graph structure of how the anomaly_detection_assessment relates to the unified_device through a device_anomaly entity.",
+      "id": "5ded0d7e-d2c8-4f04-bb45-8a0ce85e44a4",
+      "title": "Anomaly Detection Assessment",
+      "type": "graph",
+      "config": {
+        "queries": [
+          {
+            "name": "Query 1",
+            "query": "FIND anomaly_detection_assessment\n  THAT IDENTIFIED device_anomaly\n  (THAT HAS unified_device)?\nRETURN TREE"
+          }
+        ],
+        "settings": {
+          "graph": {
+            "graphViewType": "tree_horizontal"
+          }
+        }
+      }
+    }
+  ],
+  "layouts": {
+    "sm": [],
+    "xs": [],
+    "lg": [
+      {
+        "static": false,
+        "w": 3,
+        "moved": false,
+        "h": 3,
+        "x": 3,
+        "y": 2,
+        "i": "50204d5b-dcbf-48fc-8b4d-d923675d5570"
+      },
+      {
+        "static": false,
+        "w": 12,
+        "moved": false,
+        "h": 2,
+        "x": 0,
+        "y": 0,
+        "i": "1060bb89-dea7-41bd-b4b1-a43224abee80"
+      },
+      {
+        "static": false,
+        "w": 3,
+        "moved": false,
+        "h": 3,
+        "x": 0,
+        "y": 2,
+        "i": "5438988b-53a0-4c01-985f-45bfe8b6b0ac"
+      },
+      {
+        "static": false,
+        "w": 12,
+        "moved": false,
+        "h": 3,
+        "x": 0,
+        "y": 5,
+        "i": "4dbda07a-8db1-4e4e-a6d1-ab8bc3bc2759"
+      },
+      {
+        "static": false,
+        "w": 6,
+        "moved": false,
+        "h": 3,
+        "x": 6,
+        "y": 2,
+        "i": "5ded0d7e-d2c8-4f04-bb45-8a0ce85e44a4"
+      }
+    ],
+    "xl": [],
+    "md": []
+  }
+}

src/boards/device-anomaly-detection-beta/readme.md

@@ -0,0 +1,20 @@
+---
+Publisher: JupiterOne
+---
+
+# Device Anomaly Detection (Beta)
+
+![sample-screenshot](board.png)
+
+Insight dashboard that shows off the Anomaly Detection functionality
+for Device data (currently in Beta).
+
+List of prerequisites: Requires the user to be a part of the Device Management Anomaly
+Detection Early Access Program (EAP). Requires at least an MDM (Device Management), EDR (Device
+Agent/Scanning), or Cloud Service Provider integration; Ideally utilizes all of
+the above plus an integration with an Identity Provider.
+
+> Prerequisites:
+>
+> Requires at least an MDM (Device Management), EDR (Device Agent/Scanning), or Cloud Service Provider integration
+> Ideally utilizes all of the above plus an integration with an Identity Provider.

src/index.ts

@@ -10,7 +10,7 @@ import softwareDependenciesAndLicenses from "./boards/software-dependencies-and-
 import criticalAttackSurface from "./boards/critical-attack-surface/board.json";
 import dataBreachCost from "./boards/data-breach-cost/board.json";
 import dataProtection from "./boards/data-protection/board.json";
-import deviceManagement from './boards/device-management/board.json';
+import deviceManagement from "./boards/device-management/board.json";
 import secureDevelopment from "./boards/secure-development/board.json";
 import firewall from "./boards/network-security/board.json";
 import gcpCompute from "./boards/gcp-compute/board.json";
@@ -35,7 +35,8 @@ import userEndpoints from "./boards/user-endpoints/board.json";
 import userTraining from "./boards/user-training/board.json";
 import vendorMgmt from "./boards/vendor-mgmt/board.json";
 import vulnReporting from "./boards/vuln-reporting/board.json";
-import povInsights from "./boards/pov-insights/board.json"
+import povInsights from "./boards/pov-insights/board.json";
+import anomalyDetectionBeta from "./boards/device-anomaly-detection-beta/board.json";
 
 // All of these boards are available as templates for import when creating a new board in app
 export const InsightsDashboards = {
@@ -50,7 +51,7 @@ export const InsightsDashboards = {
   "CrowdStrike and JAMF Comparison": jamfCrowdStrike,
   "Data Breach Cost": dataBreachCost,
   "Data Protection": dataProtection,
-  'Device Management': deviceManagement,
+  "Device Management": deviceManagement,
   "GCP Compute": gcpCompute,
   "GCP IAM": gcpIam,
   "GDPR Data Locations": gdprDataLocations,
@@ -179,6 +180,12 @@ export const MANAGED_BOARDS = [
     category: BoardCategory.CLOUD_POSTURE,
     ...azureResources,
   },
+  {
+    id: "device-anomaly-detection-beta",
+    name: "Device Anomaly Detection (Beta)",
+    category: BoardCategory.ASSETS_ATTACK_SURFACE,
+    ...anomalyDetectionBeta,
+  },
   {
     id: "gcp-compute",
     name: "GCP Compute",