diff --git a/packages/apache_tomcat/_dev/build/docs/README.md b/packages/apache_tomcat/_dev/build/docs/README.md index 3afbd6b3307f..e5259832c0ca 100644 --- a/packages/apache_tomcat/_dev/build/docs/README.md +++ b/packages/apache_tomcat/_dev/build/docs/README.md @@ -6,7 +6,7 @@ Use the Apache Tomcat integration to: -- Collect metrics related to the cache, request and session and collect logs related to access, catalina, and localhost. +- Collect metrics related to the cache, memory, request and session and collect logs related to access, catalina, and localhost. - Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights. - Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue. @@ -16,13 +16,14 @@ The Apache Tomcat integration collects logs and metrics data. Logs help you keep a record of events that happen on your machine. The `Log` data streams collected by Apache Tomcat integration are `access`, `catalina`, and `localhost`, so that users can keep track of the IP addresses of the clients, bytes returned to the client or sent by clients, etc., so that users could monitor and troubleshoot the performance of Java applications. -Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `request` and `session`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance. +Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `memory`, `request` and `session`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance. Data streams: - `access`: Collects information related to overall performance of Java applications. - `cache`: Collects information related to the overall cache of the Apache Tomcat instance. - `catalina`: Collects information related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems. - `localhost`: Collects information related to Web application activity which is related to HTTP transactions between the application server and the client. +- `memory`: Collects information related to heap memory, non-heap memory and garbage collection of the Tomcat instance. - `request`: Collects information related to requests of the Apache Tomcat instance. - `session`: Collects information related to overall created, active and expired sessions of the Tomcat instance. @@ -166,6 +167,14 @@ This is the `Cache` data stream. This data stream collects metrics related to th {{fields "cache"}} +### Memory + +This is the `memory` data stream. This data stream collects metrics related to the heap memory, non-heap memory, garbage collection time and count. + +{{event "memory"}} + +{{fields "memory"}} + ### Request This is the `Request` data stream. This data stream collects metrics related to request count, and amount of data received and sent. diff --git a/packages/apache_tomcat/changelog.yml b/packages/apache_tomcat/changelog.yml index af541abc15b8..c674a1a587bd 100644 --- a/packages/apache_tomcat/changelog.yml +++ b/packages/apache_tomcat/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.9.0" + changes: + - description: Apache Tomcat integration package with "memory" data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/6527 - version: "0.8.0" changes: - description: Update the processor description link. diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 000000000000..c39dc386179b --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + event.ingested: ".*" diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json new file mode 100644 index 000000000000..e9d7c55be776 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json @@ -0,0 +1,19 @@ +{ + "events": [ + { + "prometheus": { + "labels": { + "host": "localhost", + "name": "GarbageCollector", + "instance": "127.0.0.1:9090", + "job": "prometheus" + }, + "metrics": { + "java_lang_G1_Old_Generation_CollectionCount": 0, + "java_lang_G1_Old_Generation_Valid": 1, + "java_lang_G1_Old_Generation_CollectionTime": 0 + } + } + } + ] +} \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json new file mode 100644 index 000000000000..1f5b0cab2b22 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-gc-metrics.json-expected.json @@ -0,0 +1,33 @@ +{ + "expected": [ + { + "apache_tomcat": { + "memory": { + "doc_type": "gc", + "gc": { + "collection": { + "count": 0, + "time": { + "ms": 0 + } + }, + "valid": 1 + } + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "category": [ + "web" + ], + "kind": "metric", + "module": "apache_tomcat", + "type": [ + "info" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json new file mode 100644 index 000000000000..6a747d2efe50 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json @@ -0,0 +1,26 @@ +{ + "events": [ + { + "prometheus": { + "labels": { + "host": "localhost", + "name": "Memory", + "instance": "127.0.0.1:9090", + "job": "prometheus" + }, + "metrics": { + "java_lang_Memory_ObjectPendingFinalizationCount": 0, + "java_lang_Memory_HeapMemoryUsage_used": 4.5216344e+07, + "java_lang_Memory_NonHeapMemoryUsage_used": 3.6318104e+07, + "java_lang_Memory_Verbose": 1, + "java_lang_Memory_NonHeapMemoryUsage_init": 7.667712e+06, + "java_lang_Memory_HeapMemoryUsage_committed": 5.38968064e+08, + "java_lang_Memory_NonHeapMemoryUsage_max": -1, + "java_lang_Memory_HeapMemoryUsage_max": 1.073741824e+09, + "java_lang_Memory_HeapMemoryUsage_init": 5.36870912e+08, + "java_lang_Memory_NonHeapMemoryUsage_committed": 3.9518208e+07 + } + } + } + ] +} \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json new file mode 100644 index 000000000000..4659bd299cee --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/pipeline/test-memory-metrics.json-expected.json @@ -0,0 +1,56 @@ +{ + "expected": [ + { + "apache_tomcat": { + "memory": { + "doc_type": "memory", + "heap": { + "committed": { + "bytes": 5.38968064E8 + }, + "init": { + "bytes": 5.36870912E8 + }, + "max": { + "bytes": 1.073741824E9 + }, + "used": { + "bytes": 4.5216344E7 + } + }, + "non_heap": { + "committed": { + "bytes": 3.9518208E7 + }, + "init": { + "bytes": 7667712.0 + }, + "max": { + "bytes": -1 + }, + "used": { + "bytes": 3.6318104E7 + } + }, + "object_pending_finalization": { + "count": 0 + }, + "verbose": true + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "category": [ + "web" + ], + "kind": "metric", + "module": "apache_tomcat", + "type": [ + "info" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml b/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000000..a6a09ba07dec --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/_dev/test/system/test-default-config.yml @@ -0,0 +1,4 @@ +vars: + hosts: + - http://{{Hostname}}:{{Port}}/metrics +input: prometheus/metrics diff --git a/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs b/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs new file mode 100644 index 000000000000..d34597278ee8 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/agent/stream/stream.yml.hbs @@ -0,0 +1,28 @@ +metricsets: ["collector"] +hosts: +{{#each hosts}} + - {{this}} +{{/each}} +metrics_filters: + include: ["java_lang_Memory_*","java_lang_G1_Old_Generation_*"] +period: {{period}} +{{#if username}} +username: "{{username}}" +{{/if}} +{{#if password}} +password: "{{password}}" +{{/if}} +{{#if ssl}} +{{ssl}} +{{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000000..b7c859d90a91 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,111 @@ +--- +description: Pipeline for processing Apache Tomcat Memory metrics. +processors: + - set: + field: ecs.version + value: 8.7.0 + - set: + field: event.kind + value: metric + - set: + field: event.module + value: apache_tomcat + - set: + field: event.type + value: [info] + - set: + field: event.category + value: [web] + - set: + field: apache_tomcat.memory.verbose + value: true + if: ctx.prometheus?.metrics?.java_lang_Memory_Verbose == 1 + - set: + field: apache_tomcat.memory.verbose + value: false + if: ctx.prometheus?.metrics?.java_lang_Memory_Verbose == 0 + - rename: + field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_max + target_field: apache_tomcat.memory.heap.max.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_init + target_field: apache_tomcat.memory.heap.init.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_used + target_field: apache_tomcat.memory.heap.used.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_HeapMemoryUsage_committed + target_field: apache_tomcat.memory.heap.committed.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_max + target_field: apache_tomcat.memory.non_heap.max.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_init + target_field: apache_tomcat.memory.non_heap.init.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_used + target_field: apache_tomcat.memory.non_heap.used.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_NonHeapMemoryUsage_committed + target_field: apache_tomcat.memory.non_heap.committed.bytes + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_Memory_ObjectPendingFinalizationCount + target_field: apache_tomcat.memory.object_pending_finalization.count + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_G1_Old_Generation_CollectionCount + target_field: apache_tomcat.memory.gc.collection.count + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_G1_Old_Generation_CollectionTime + target_field: apache_tomcat.memory.gc.collection.time.ms + ignore_missing: true + - rename: + field: prometheus.metrics.java_lang_G1_Old_Generation_Valid + target_field: apache_tomcat.memory.gc.valid + ignore_missing: true + - set: + field: apache_tomcat.memory.doc_type + value: memory + if: ctx.apache_tomcat?.memory?.heap != null || ctx.apache_tomcat?.memory?.non_heap != null + - set: + field: apache_tomcat.memory.doc_type + value: gc + if: ctx.apache_tomcat?.memory?.gc != null + - remove: + field: + - prometheus + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false \ No newline at end of file diff --git a/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml b/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml new file mode 100644 index 000000000000..909e7ff859a7 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/fields/base-fields.yml @@ -0,0 +1,15 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: tags + type: keyword + description: List of keywords used to tag each event. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/apache_tomcat/data_stream/memory/fields/ecs.yml b/packages/apache_tomcat/data_stream/memory/fields/ecs.yml new file mode 100644 index 000000000000..034a05db03d1 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/fields/ecs.yml @@ -0,0 +1,39 @@ +- external: ecs + name: agent.id + dimension: true +- external: ecs + name: cloud.account.id + dimension: true +- external: ecs + name: cloud.availability_zone + dimension: true +- external: ecs + name: cloud.instance.id + dimension: true +- external: ecs + name: cloud.provider + dimension: true +- external: ecs + name: cloud.region + dimension: true +- external: ecs + name: container.id + dimension: true +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: host.name + dimension: true +- external: ecs + name: service.address + dimension: true diff --git a/packages/apache_tomcat/data_stream/memory/fields/fields.yml b/packages/apache_tomcat/data_stream/memory/fields/fields.yml new file mode 100644 index 000000000000..34c24ebf69f3 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/fields/fields.yml @@ -0,0 +1,82 @@ +- name: apache_tomcat + type: group + fields: + - name: memory + type: group + fields: + - name: doc_type + type: keyword + description: Document type of the event. This should be either "memory" or "gc". + dimension: true + - name: gc + type: group + fields: + - name: collection + type: group + fields: + - name: count + type: long + description: The cumulative number of invoked garbage collections since the start of the server. + metric_type: counter + - name: time.ms + type: long + description: The time (in milliseconds) taken by garbage collection during the collection interval. + metric_type: gauge + unit: ms + - name: valid + type: long + description: The garbage collection process in G1 is considered valid even if the old GC JMX counter remains at 0 while old space is gradually reclaimed by the young collections. + metric_type: gauge + - name: heap + type: group + fields: + - name: committed.bytes + type: double + description: Committed heap memory usage. + metric_type: gauge + unit: byte + - name: init.bytes + type: double + description: Initial heap memory usage. + metric_type: gauge + unit: byte + - name: max.bytes + type: double + description: Max heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. + metric_type: gauge + unit: byte + - name: used.bytes + type: double + description: Used heap memory usage. + metric_type: gauge + unit: byte + - name: non_heap + type: group + fields: + - name: committed.bytes + type: double + description: Committed non-heap memory usage. + metric_type: gauge + unit: byte + - name: init.bytes + type: double + description: Initial non-heap memory usage. + metric_type: gauge + unit: byte + - name: max.bytes + type: double + description: Max non-heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. + metric_type: gauge + unit: byte + - name: used.bytes + type: double + description: Used non-heap memory usage. + metric_type: gauge + unit: byte + - name: object_pending_finalization.count + type: double + description: Count of object pending finalization. + metric_type: gauge + - name: verbose + type: boolean + description: When set to true, will cause the memory manager to print messages to the console whenever it performs certain memory-related operations.(1.0-true, 0.0-false). diff --git a/packages/apache_tomcat/data_stream/memory/manifest.yml b/packages/apache_tomcat/data_stream/memory/manifest.yml new file mode 100644 index 000000000000..f17b8cd648ef --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/manifest.yml @@ -0,0 +1,33 @@ +type: metrics +title: Apache Tomcat Memory metrics +streams: + - input: prometheus/metrics + vars: + - name: period + type: text + title: Period + required: true + default: 10s + show_user: true + description: Period of fetching metrics, i.e. 1s/1m/1h. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - apache_tomcat-memory + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. + template_path: stream.yml.hbs + title: Apache Tomcat Memory metrics + description: Collect Apache Tomcat Memory and Garbage collection metrics. +elasticsearch: + index_mode: "time_series" diff --git a/packages/apache_tomcat/data_stream/memory/sample_event.json b/packages/apache_tomcat/data_stream/memory/sample_event.json new file mode 100644 index 000000000000..4c62be69ed01 --- /dev/null +++ b/packages/apache_tomcat/data_stream/memory/sample_event.json @@ -0,0 +1,108 @@ +{ + "@timestamp": "2023-07-11T13:20:12.035Z", + "agent": { + "ephemeral_id": "d25b802e-38e7-44c1-82d3-ef14a3522214", + "id": "fe5945f5-4d47-4726-8da8-5f694a655519", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.8.0" + }, + "apache_tomcat": { + "memory": { + "doc_type": "memory", + "heap": { + "committed": { + "bytes": 77594624 + }, + "init": { + "bytes": 195035136 + }, + "max": { + "bytes": 3103784960 + }, + "used": { + "bytes": 35204712 + } + }, + "non_heap": { + "committed": { + "bytes": 44695552 + }, + "init": { + "bytes": 7667712 + }, + "max": { + "bytes": -1 + }, + "used": { + "bytes": 42286456 + } + }, + "object_pending_finalization": { + "count": 0 + }, + "verbose": false + } + }, + "data_stream": { + "dataset": "apache_tomcat.memory", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.7.0" + }, + "elastic_agent": { + "id": "fe5945f5-4d47-4726-8da8-5f694a655519", + "snapshot": false, + "version": "8.8.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web" + ], + "dataset": "apache_tomcat.memory", + "duration": 281008420, + "ingested": "2023-07-11T13:20:15Z", + "kind": "metric", + "module": "apache_tomcat", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "e8978f2086c14e13b7a0af9ed0011d19", + "ip": [ + "192.168.64.7" + ], + "mac": [ + "02-42-C0-A8-40-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.90.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "service": { + "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics", + "type": "prometheus" + }, + "tags": [ + "apache_tomcat-memory", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/apache_tomcat/docs/README.md b/packages/apache_tomcat/docs/README.md index 46bc4a5d174d..c33ab7c5232b 100644 --- a/packages/apache_tomcat/docs/README.md +++ b/packages/apache_tomcat/docs/README.md @@ -6,7 +6,7 @@ Use the Apache Tomcat integration to: -- Collect metrics related to the cache, request and session and collect logs related to access, catalina, and localhost. +- Collect metrics related to the cache, memory, request and session and collect logs related to access, catalina, and localhost. - Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights. - Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue. @@ -16,13 +16,14 @@ The Apache Tomcat integration collects logs and metrics data. Logs help you keep a record of events that happen on your machine. The `Log` data streams collected by Apache Tomcat integration are `access`, `catalina`, and `localhost`, so that users can keep track of the IP addresses of the clients, bytes returned to the client or sent by clients, etc., so that users could monitor and troubleshoot the performance of Java applications. -Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `request` and `session`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance. +Metrics give you insight into the statistics of the Apache Tomcat. The `Metric` data streams collected by the Apache Tomcat integration are `cache`, `memory`, `request` and `session`, so that the user can monitor and troubleshoot the performance of the Apache Tomcat instance. Data streams: - `access`: Collects information related to overall performance of Java applications. - `cache`: Collects information related to the overall cache of the Apache Tomcat instance. - `catalina`: Collects information related to the startup and shutdown of the Apache Tomcat application server, the deployment of new applications, or the failure of one or more subsystems. - `localhost`: Collects information related to Web application activity which is related to HTTP transactions between the application server and the client. +- `memory`: Collects information related to heap memory, non-heap memory and garbage collection of the Tomcat instance. - `request`: Collects information related to requests of the Apache Tomcat instance. - `session`: Collects information related to overall created, active and expired sessions of the Tomcat instance. @@ -603,6 +604,163 @@ An example event for `cache` looks as following: | tags | List of keywords used to tag each event. | keyword | | | +### Memory + +This is the `memory` data stream. This data stream collects metrics related to the heap memory, non-heap memory, garbage collection time and count. + +An example event for `memory` looks as following: + +```json +{ + "@timestamp": "2023-07-11T13:20:12.035Z", + "agent": { + "ephemeral_id": "d25b802e-38e7-44c1-82d3-ef14a3522214", + "id": "fe5945f5-4d47-4726-8da8-5f694a655519", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.8.0" + }, + "apache_tomcat": { + "memory": { + "doc_type": "memory", + "heap": { + "committed": { + "bytes": 77594624 + }, + "init": { + "bytes": 195035136 + }, + "max": { + "bytes": 3103784960 + }, + "used": { + "bytes": 35204712 + } + }, + "non_heap": { + "committed": { + "bytes": 44695552 + }, + "init": { + "bytes": 7667712 + }, + "max": { + "bytes": -1 + }, + "used": { + "bytes": 42286456 + } + }, + "object_pending_finalization": { + "count": 0 + }, + "verbose": false + } + }, + "data_stream": { + "dataset": "apache_tomcat.memory", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.7.0" + }, + "elastic_agent": { + "id": "fe5945f5-4d47-4726-8da8-5f694a655519", + "snapshot": false, + "version": "8.8.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web" + ], + "dataset": "apache_tomcat.memory", + "duration": 281008420, + "ingested": "2023-07-11T13:20:15Z", + "kind": "metric", + "module": "apache_tomcat", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "e8978f2086c14e13b7a0af9ed0011d19", + "ip": [ + "192.168.64.7" + ], + "mac": [ + "02-42-C0-A8-40-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.90.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "collector", + "period": 10000 + }, + "service": { + "address": "http://elastic-package-service_apache_tomcat_1:9090/metrics", + "type": "prometheus" + }, + "tags": [ + "apache_tomcat-memory", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| apache_tomcat.memory.doc_type | Document type of the event. This should be either "memory" or "gc". | keyword | | | +| apache_tomcat.memory.gc.collection.count | The cumulative number of invoked garbage collections since the start of the server. | long | | counter | +| apache_tomcat.memory.gc.collection.time.ms | The time (in milliseconds) taken by garbage collection during the collection interval. | long | ms | gauge | +| apache_tomcat.memory.gc.valid | The garbage collection process in G1 is considered valid even if the old GC JMX counter remains at 0 while old space is gradually reclaimed by the young collections. | long | | gauge | +| apache_tomcat.memory.heap.committed.bytes | Committed heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.heap.init.bytes | Initial heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.heap.max.bytes | Max heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. | double | byte | gauge | +| apache_tomcat.memory.heap.used.bytes | Used heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.non_heap.committed.bytes | Committed non-heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.non_heap.init.bytes | Initial non-heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.non_heap.max.bytes | Max non-heap memory usage. When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation. | double | byte | gauge | +| apache_tomcat.memory.non_heap.used.bytes | Used non-heap memory usage. | double | byte | gauge | +| apache_tomcat.memory.object_pending_finalization.count | Count of object pending finalization. | double | | gauge | +| apache_tomcat.memory.verbose | When set to true, will cause the memory manager to print messages to the console whenever it performs certain memory-related operations.(1.0-true, 0.0-false). | boolean | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | +| container.id | Unique container id. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| error.message | Error message. | match_only_text | | | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| tags | List of keywords used to tag each event. | keyword | | | + + ### Request This is the `Request` data stream. This data stream collects metrics related to request count, and amount of data received and sent. diff --git a/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png b/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png new file mode 100644 index 000000000000..3b9a3ab23888 Binary files /dev/null and b/packages/apache_tomcat/img/apache_tomcat-memory-dashboard.png differ diff --git a/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json new file mode 100644 index 000000000000..eb71969f9947 --- /dev/null +++ b/packages/apache_tomcat/kibana/dashboard/apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab.json @@ -0,0 +1,1247 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"40090461-b167-4b82-8ae3-e1326133b845\":{\"order\":0,\"width\":\"medium\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"service.address\",\"title\":\"Hostname\",\"id\":\"40090461-b167-4b82-8ae3-e1326133b845\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":true}}}" + }, + "description": "This Apache Tomcat dashboard visualizes memory data stream metrics.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "apache_tomcat.memory" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "603b89be-e03d-4ed5-83b6-4ca7c19f41aa": { + "columnOrder": [ + "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac" + ], + "columns": { + "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Heap memory usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.used.bytes" + } + }, + "incompleteColumns": {} + }, + "7a97f25c-2c29-43be-a9d9-227e78aa4824": { + "columnOrder": [ + "5a75a03a-9d36-44d3-8ff9-66d3de324ce5", + "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8" + ], + "columns": { + "5a75a03a-9d36-44d3-8ff9-66d3de324ce5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Heap memory usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.used.bytes" + } + }, + "incompleteColumns": {}, + "linkToLayers": [ + "603b89be-e03d-4ed5-83b6-4ca7c19f41aa" + ], + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "424f182e-1baf-4bc9-a7a6-74f1ca6881ef", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_tomcat.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "icon": "empty", + "layerId": "603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "layerType": "data", + "metricAccessor": "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac", + "showBar": false, + "trendlineLayerId": "7a97f25c-2c29-43be-a9d9-227e78aa4824", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "f610bbb4-2cd9-45b1-b9a1-b61d89b32ee8", + "trendlineTimeAccessor": "5a75a03a-9d36-44d3-8ff9-66d3de324ce5" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 11, + "i": "7249a3d9-803b-4ddd-952f-0021fcfe7f58", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "7249a3d9-803b-4ddd-952f-0021fcfe7f58", + "type": "lens", + "version": "8.8.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b": { + "columnOrder": [ + "0dd778b3-8804-4a74-9807-284a48c0f474", + "cbcd07a6-0246-46f5-b746-22c186e60d4d" + ], + "columns": { + "0dd778b3-8804-4a74-9807-284a48c0f474": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cbcd07a6-0246-46f5-b746-22c186e60d4d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.used.bytes" + } + }, + "incompleteColumns": {} + }, + "ce5c86d1-5778-457d-a66f-8d2be35fdd09": { + "columnOrder": [ + "73ecedb4-176f-4c0d-aa3c-c0861634ecf3", + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6", + "9b37895d-2df4-48a1-8044-cbcd95046198", + "019aef94-5186-4949-8172-fd656fb1c550" + ], + "columns": { + "019aef94-5186-4949-8172-fd656fb1c550": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.max.bytes: *" + }, + "isBucketed": false, + "label": "Max", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.max.bytes" + }, + "73ecedb4-176f-4c0d-aa3c-c0861634ecf3": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.init.bytes: *" + }, + "isBucketed": false, + "label": "Init", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.init.bytes" + }, + "9b37895d-2df4-48a1-8044-cbcd95046198": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.heap.committed.bytes: *" + }, + "isBucketed": false, + "label": "Commited", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.heap.committed.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1be63b2a-edae-4674-a21f-4cc44d7ef2a4", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_tomcat.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6", + "9b37895d-2df4-48a1-8044-cbcd95046198", + "019aef94-5186-4949-8172-fd656fb1c550" + ], + "layerId": "ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "73ecedb4-176f-4c0d-aa3c-c0861634ecf3", + "yConfig": [ + { + "color": "#8143ca", + "forAccessor": "7e8653c8-9ed6-465d-8288-9f6dc4c909f6" + }, + { + "color": "#d41515", + "forAccessor": "019aef94-5186-4949-8172-fd656fb1c550" + }, + { + "color": "#d6bf57", + "forAccessor": "9b37895d-2df4-48a1-8044-cbcd95046198" + } + ] + }, + { + "accessors": [ + "cbcd07a6-0246-46f5-b746-22c186e60d4d" + ], + "layerId": "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "0dd778b3-8804-4a74-9807-284a48c0f474", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "cbcd07a6-0246-46f5-b746-22c186e60d4d" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Memory" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "When the value for the maximum memory size (in bytes) is set to -1 for heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "ff461eaa-d936-4fbd-af56-72a528fdf515", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "ff461eaa-d936-4fbd-af56-72a528fdf515", + "title": "Heap memory over time [Metrics Apache Tomcat]", + "type": "lens", + "version": "8.8.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8708baa5-febb-4d77-9857-ba124b9c91f8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "603b89be-e03d-4ed5-83b6-4ca7c19f41aa": { + "columnOrder": [ + "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac" + ], + "columns": { + "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Non-heap memory usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.used.bytes" + } + }, + "incompleteColumns": {} + }, + "b9cb687d-7e05-469a-bc47-e9b07685a0d8": { + "columnOrder": [ + "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d", + "641fc5ee-3abf-4790-9d21-f5995f257dff" + ], + "columns": { + "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "641fc5ee-3abf-4790-9d21-f5995f257dff": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Non-heap memory usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.used.bytes" + } + }, + "incompleteColumns": {}, + "linkToLayers": [ + "603b89be-e03d-4ed5-83b6-4ca7c19f41aa" + ], + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8708baa5-febb-4d77-9857-ba124b9c91f8", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_tomcat.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "FFFFFF", + "layerId": "603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "layerType": "data", + "metricAccessor": "6d6a63fb-4d3d-49ce-bad9-f199c1b2f9ac", + "showBar": false, + "trendlineLayerId": "b9cb687d-7e05-469a-bc47-e9b07685a0d8", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "641fc5ee-3abf-4790-9d21-f5995f257dff", + "trendlineTimeAccessor": "1b77df70-bf4a-4f5e-90e7-72fd4d33e42d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 11, + "i": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47", + "w": 10, + "x": 0, + "y": 11 + }, + "panelIndex": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47", + "title": "", + "type": "lens", + "version": "8.8.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4fba9f55-18c8-458c-9ee5-83936d0402ac", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b": { + "columnOrder": [ + "0dd778b3-8804-4a74-9807-284a48c0f474", + "cbcd07a6-0246-46f5-b746-22c186e60d4d" + ], + "columns": { + "0dd778b3-8804-4a74-9807-284a48c0f474": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cbcd07a6-0246-46f5-b746-22c186e60d4d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.used.bytes: *" + }, + "isBucketed": false, + "label": "Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.used.bytes" + } + }, + "incompleteColumns": {} + }, + "ce5c86d1-5778-457d-a66f-8d2be35fdd09": { + "columnOrder": [ + "73ecedb4-176f-4c0d-aa3c-c0861634ecf3", + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6", + "9b37895d-2df4-48a1-8044-cbcd95046198", + "1a8d3154-9b7f-41e9-af52-64e4f0935387" + ], + "columns": { + "1a8d3154-9b7f-41e9-af52-64e4f0935387": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.max.bytes: *" + }, + "isBucketed": false, + "label": "Max", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.max.bytes" + }, + "73ecedb4-176f-4c0d-aa3c-c0861634ecf3": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.init.bytes: *" + }, + "isBucketed": false, + "label": "Init", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.init.bytes" + }, + "9b37895d-2df4-48a1-8044-cbcd95046198": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.non_heap.committed.bytes: *" + }, + "isBucketed": false, + "label": "Commited", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.non_heap.committed.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4fba9f55-18c8-458c-9ee5-83936d0402ac", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_tomcat.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "7e8653c8-9ed6-465d-8288-9f6dc4c909f6", + "9b37895d-2df4-48a1-8044-cbcd95046198", + "1a8d3154-9b7f-41e9-af52-64e4f0935387" + ], + "layerId": "ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "73ecedb4-176f-4c0d-aa3c-c0861634ecf3", + "yConfig": [ + { + "color": "#8143ca", + "forAccessor": "7e8653c8-9ed6-465d-8288-9f6dc4c909f6" + }, + { + "color": "#e01212", + "forAccessor": "1a8d3154-9b7f-41e9-af52-64e4f0935387" + }, + { + "color": "#d6bf57", + "forAccessor": "9b37895d-2df4-48a1-8044-cbcd95046198" + } + ] + }, + { + "accessors": [ + "cbcd07a6-0246-46f5-b746-22c186e60d4d" + ], + "layerId": "832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "0dd778b3-8804-4a74-9807-284a48c0f474", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "cbcd07a6-0246-46f5-b746-22c186e60d4d" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Memory" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "When the value for the maximum memory size (in bytes) is set to -1 for non-heap memory configurations, it indicates that the user has not specified a predefined size for the memory allocation", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "1c7a5509-3841-40a3-9b00-fd11ee6db933", + "w": 38, + "x": 10, + "y": 11 + }, + "panelIndex": "1c7a5509-3841-40a3-9b00-fd11ee6db933", + "title": "Non-heap memory over time [Metrics Apache Tomcat]", + "type": "lens", + "version": "8.8.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-88daef46-ca28-45c1-b7cc-8f7ccff4842d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "88daef46-ca28-45c1-b7cc-8f7ccff4842d": { + "columnOrder": [ + "11293177-6826-46e6-a6f5-365beee20933", + "7da790e2-9037-4e7d-af92-513305d139e2" + ], + "columns": { + "11293177-6826-46e6-a6f5-365beee20933": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "7da790e2-9037-4e7d-af92-513305d139e2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.gc.collection.time.ms: *" + }, + "isBucketed": false, + "label": "GC time(ms)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.gc.collection.time.ms" + } + }, + "incompleteColumns": {} + }, + "9664f1c8-ab27-4919-9805-e22529ee1f2c": { + "columnOrder": [ + "f5806bac-f641-4bfb-8be9-c3fb8728ee6d", + "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32" + ], + "columns": { + "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "apache_tomcat.memory.gc.collection.count: *" + }, + "isBucketed": false, + "label": "GC count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "apache_tomcat.memory.gc.collection.count" + }, + "f5806bac-f641-4bfb-8be9-c3fb8728ee6d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_tomcat.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_tomcat.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32" + ], + "layerId": "9664f1c8-ab27-4919-9805-e22529ee1f2c", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "f5806bac-f641-4bfb-8be9-c3fb8728ee6d", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "78f1082b-f1fc-4ed4-98fd-fdb3b92bac32" + } + ] + }, + { + "accessors": [ + "7da790e2-9037-4e7d-af92-513305d139e2" + ], + "layerId": "88daef46-ca28-45c1-b7cc-8f7ccff4842d", + "layerType": "data", + "seriesType": "line", + "xAccessor": "11293177-6826-46e6-a6f5-365beee20933", + "yConfig": [ + { + "color": "#d6bf57", + "forAccessor": "7da790e2-9037-4e7d-af92-513305d139e2" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Garbage Collection" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "af80afbb-07f6-4f69-b475-2e5f19cfa60d", + "w": 48, + "x": 0, + "y": 22 + }, + "panelIndex": "af80afbb-07f6-4f69-b475-2e5f19cfa60d", + "title": "Garbage collection over time [Metrics Apache Tomcat]", + "type": "lens", + "version": "8.8.0" + } + ], + "timeRestore": false, + "title": "[Metrics Apache Tomcat] Memory", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-07-13T07:48:32.812Z", + "id": "apache_tomcat-c2e71320-bccb-11ed-8065-19219c0d55ab", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:indexpattern-datasource-layer-7a97f25c-2c29-43be-a9d9-227e78aa4824", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7249a3d9-803b-4ddd-952f-0021fcfe7f58:424f182e-1baf-4bc9-a7a6-74f1ca6881ef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff461eaa-d936-4fbd-af56-72a528fdf515:1be63b2a-edae-4674-a21f-4cc44d7ef2a4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-603b89be-e03d-4ed5-83b6-4ca7c19f41aa", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:indexpattern-datasource-layer-b9cb687d-7e05-469a-bc47-e9b07685a0d8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3b18802f-5ac5-48f1-8ba3-c46d37f86d47:8708baa5-febb-4d77-9857-ba124b9c91f8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-832a1cf4-a2fb-4da0-a1a9-e2e4ad75cf0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:indexpattern-datasource-layer-ce5c86d1-5778-457d-a66f-8d2be35fdd09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1c7a5509-3841-40a3-9b00-fd11ee6db933:4fba9f55-18c8-458c-9ee5-83936d0402ac", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-88daef46-ca28-45c1-b7cc-8f7ccff4842d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:indexpattern-datasource-layer-9664f1c8-ab27-4919-9805-e22529ee1f2c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "af80afbb-07f6-4f69-b475-2e5f19cfa60d:f7dd40ff-6ab5-4c72-9c14-3d9a3a1459c0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_40090461-b167-4b82-8ae3-e1326133b845:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "migrationVersion": { + "dashboard": "8.7.0" + } +} \ No newline at end of file diff --git a/packages/apache_tomcat/manifest.yml b/packages/apache_tomcat/manifest.yml index a99d5ae8447e..daba79fb84b9 100644 --- a/packages/apache_tomcat/manifest.yml +++ b/packages/apache_tomcat/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.3.0 name: apache_tomcat title: Apache Tomcat -version: "0.8.0" +version: "0.9.0" description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent. categories: ["web", "observability"] type: integration @@ -99,5 +99,9 @@ screenshots: title: Apache Tomcat Session dashboard size: 600x600 type: image/png + - src: /img/apache_tomcat-memory-dashboard.png + title: Apache Tomcat Memory dashboard + size: 600x600 + type: image/png owner: github: elastic/obs-infraobs-integrations diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 64aaab40c332..b3804a8db9ee 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.46.6" + changes: + - description: Update metric type and set dimension fields for AWS EMR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/6964 +- version: "1.46.5" + changes: + - description: Fix metric type for API Gateway metric fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/6952 +- version: "1.46.4" + changes: + - description: Set dimensions fields for API Gateway data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/6950 - version: "1.46.3" changes: - description: Add missing S3 fields for vpcflow diff --git a/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml b/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml index 20f154e37bdb..8e6c369edfc8 100644 --- a/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/apigateway_metrics/fields/ecs.yml @@ -2,6 +2,7 @@ name: cloud - external: ecs name: cloud.account.id + dimension: true - external: ecs name: cloud.account.name - external: ecs @@ -14,6 +15,7 @@ name: cloud.provider - external: ecs name: cloud.region + dimension: true - external: ecs name: ecs.version - external: ecs @@ -60,3 +62,6 @@ name: container.labels - external: ecs name: container.name +- name: agent.id + external: ecs + dimension: true diff --git a/packages/aws/data_stream/apigateway_metrics/fields/fields.yml b/packages/aws/data_stream/apigateway_metrics/fields/fields.yml index 680d3e6b6854..225cd9522ab7 100644 --- a/packages/aws/data_stream/apigateway_metrics/fields/fields.yml +++ b/packages/aws/data_stream/apigateway_metrics/fields/fields.yml @@ -10,23 +10,23 @@ - name: 4XXError.sum type: long description: The number of client-side errors captured in a given period. - metric_type: counter + metric_type: gauge - name: 4xx.sum type: long description: The number of client-side errors captured in a given period. - metric_type: counter + metric_type: gauge - name: 5XXError.sum type: long description: The number of server-side errors captured in a given period. - metric_type: counter + metric_type: gauge - name: 5xx.sum type: long description: The number of server-side errors captured in a given period. - metric_type: counter + metric_type: gauge - name: Count.sum type: long description: The total number API requests in a given period. - metric_type: counter + metric_type: gauge - name: IntegrationLatency.avg type: long description: The time between when API Gateway relays a request to the backend and when it receives a response from the backend. @@ -45,55 +45,61 @@ - name: CacheHitCount.sum type: long description: The number of requests served from the API cache in a given period. - metric_type: counter + metric_type: gauge - name: CacheMissCount.sum type: long description: The number of requests served from the backend in a given period, when API caching is enabled. - metric_type: counter + metric_type: gauge - name: Count.sum type: long description: The total number of API requests in a given period. - metric_type: counter + metric_type: gauge - name: ConnectCount.sum type: long description: The number of messages sent to the connect route integration. - metric_type: counter + metric_type: gauge - name: MessageCount.sum type: long description: The number of messages sent to the WebSocket API, either from or to the client. - metric_type: counter + metric_type: gauge - name: IntegrationError.sum type: long description: The number of requests that return a 4XX/5XX response from the integration. - metric_type: counter + metric_type: gauge - name: ClientError.sum type: long description: The number of requests that have a 4XX response returned by API Gateway before the integration is invoked. - metric_type: counter + metric_type: gauge - name: ExecutionError.sum type: long description: Errors that occurred when calling the integration. - metric_type: counter + metric_type: gauge - name: dimensions type: group fields: - name: ApiId type: keyword + dimension: true description: Each API created in API Gateway is assigned a unique ApiId, which is used to distinguish and reference that specific API within the system. - name: Stage type: keyword + dimension: true description: It represents a specific version of the API that is accessible to clients. A stage allows you to manage different environments or versions of your API, such as development, testing, and production. - name: Route type: keyword + dimension: true description: Routes define the path and HTTP methods that clients can use to access different functionalities of the API. - name: ApiName type: keyword + dimension: true description: It represents a human-readable name that helps identify and differentiate the API within the API Gateway service. - name: Method type: keyword + dimension: true description: It represents the HTTP method which defines the action that can be performed on a resource, such as retrieving, creating, updating, or deleting data. - name: Resource type: keyword + dimension: true description: It represents an endpoint within the API that corresponds to a specific functionality, typically associated with a URL path segment. - name: cloudwatch type: group diff --git a/packages/aws/data_stream/emr_metrics/fields/ecs.yml b/packages/aws/data_stream/emr_metrics/fields/ecs.yml index c31e930d1f0f..17aba4ca24ec 100644 --- a/packages/aws/data_stream/emr_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/emr_metrics/fields/ecs.yml @@ -2,6 +2,7 @@ name: cloud - external: ecs name: cloud.account.id + dimension: true - external: ecs name: cloud.account.name - external: ecs @@ -18,6 +19,7 @@ name: cloud.provider - external: ecs name: cloud.region + dimension: true - external: ecs name: ecs.version - external: ecs @@ -60,3 +62,6 @@ name: container.labels - external: ecs name: container.name +- name: agent.id + external: ecs + dimension: true diff --git a/packages/aws/data_stream/emr_metrics/fields/fields.yml b/packages/aws/data_stream/emr_metrics/fields/fields.yml index 5edbbf69638f..da72d8b1215e 100644 --- a/packages/aws/data_stream/emr_metrics/fields/fields.yml +++ b/packages/aws/data_stream/emr_metrics/fields/fields.yml @@ -16,15 +16,15 @@ - name: ContainerAllocated.sum type: long description: The number of resource containers allocated by the ResourceManager. - metric_type: counter + metric_type: gauge - name: ContainerReserved.sum type: long description: The number of containers reserved. - metric_type: counter + metric_type: gauge - name: ContainerPending.sum type: long description: The number of containers in the queue that have not yet been allocated. - metric_type: counter + metric_type: gauge - name: ContainerPendingRatio.avg type: long description: The ratio of pending containers to containers allocated @@ -33,31 +33,31 @@ - name: AppsCompleted.sum type: long description: The number of applications submitted to YARN that have completed. - metric_type: counter + metric_type: gauge - name: AppsFailed.sum type: long description: The number of applications submitted to YARN that have failed to complete. - metric_type: counter + metric_type: gauge - name: AppsKilled.sum type: long description: The number of applications submitted to YARN that have been killed. - metric_type: counter + metric_type: gauge - name: AppsPending.sum type: long description: The number of applications submitted to YARN that are in a pending state. - metric_type: counter + metric_type: gauge - name: AppsRunning.sum type: long description: The number of applications submitted to YARN that are running. - metric_type: counter + metric_type: gauge - name: AppsSubmitted.sum type: long description: The number of applications submitted to YARN. - metric_type: counter + metric_type: gauge - name: CoreNodesPending.sum type: long description: The number of core nodes waiting to be assigned. - metric_type: counter + metric_type: gauge - name: LiveDataNodes.avg type: double description: The percentage of data nodes that are receiving work from Hadoop. @@ -66,31 +66,31 @@ - name: MRTotalNodes.sum type: long description: The number of nodes presently available to MapReduce jobs. - metric_type: counter + metric_type: gauge - name: MRActiveNodes.sum type: long description: The number of nodes presently running MapReduce tasks or jobs. - metric_type: counter + metric_type: gauge - name: MRLostNodes.sum type: long description: The number of nodes allocated to MapReduce that have been marked in a LOST state. - metric_type: counter + metric_type: gauge - name: MRUnhealthyNodes.sum type: long description: The number of nodes available to MapReduce jobs marked in an UNHEALTHY state. - metric_type: counter + metric_type: gauge - name: MRDecommissionedNodes.sum type: long description: The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state. - metric_type: counter + metric_type: gauge - name: MRRebootedNodes.sum type: long description: The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state. - metric_type: counter + metric_type: gauge - name: MultiMasterInstanceGroupNodesRunning.sum type: long description: The number of running master nodes. - metric_type: counter + metric_type: gauge - name: MultiMasterInstanceGroupNodesRunningPercentage.avg type: double description: The percentage of master nodes that are running over the requested master node instance count. @@ -99,16 +99,16 @@ - name: MultiMasterInstanceGroupNodesRequested.sum type: long description: The number of requested master nodes. - metric_type: counter + metric_type: gauge - name: S3BytesWritten.sum type: long description: The number of bytes written to Amazon S3. - metric_type: counter + metric_type: gauge unit: byte - name: S3BytesRead.sum type: long description: The number of bytes read from Amazon S3. - metric_type: counter + metric_type: gauge unit: byte - name: HDFSUtilization.avg type: double @@ -118,12 +118,12 @@ - name: HDFSBytesRead.sum type: long description: The number of bytes read from HDFS. - metric_type: counter + metric_type: gauge unit: byte - name: HDFSBytesWritten.sum type: long description: The number of bytes written to HDFS. - metric_type: counter + metric_type: gauge unit: byte - name: MissingBlocks.max type: long @@ -136,21 +136,21 @@ - name: TotalLoad.sum type: long description: The total number of concurrent data transfers. - metric_type: counter + metric_type: gauge - name: MemoryTotalMB.sum type: long description: The total amount of memory in the cluster. - metric_type: counter + metric_type: gauge unit: byte - name: MemoryReservedMB.sum type: long description: The amount of memory reserved. - metric_type: counter + metric_type: gauge unit: byte - name: MemoryAvailableMB.sum type: long description: The amount of memory available to be allocated. - metric_type: counter + metric_type: gauge unit: byte - name: YARNMemoryAvailablePercentage.avg type: double @@ -160,24 +160,24 @@ - name: MemoryAllocatedMB.sum type: long description: The amount of memory allocated to the cluster. - metric_type: counter + metric_type: gauge unit: byte - name: PendingDeletionBlocks.sum type: long description: The number of blocks marked for deletion. - metric_type: counter + metric_type: gauge - name: UnderReplicatedBlocks.sum type: long description: The number of blocks that need to be replicated one or more times. - metric_type: counter + metric_type: gauge - name: DfsPendingReplicationBlocks.sum type: long description: The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests. - metric_type: counter + metric_type: gauge - name: CapacityRemainingGB.sum type: long description: The amount of remaining HDFS disk capacity. - metric_type: counter + metric_type: gauge unit: byte - name: TotalUnitsRequested.max type: long @@ -254,7 +254,7 @@ - name: TotalNotebookKernels.sum type: long description: The total number of running and idle notebook kernels on the cluster. - metric_type: counter + metric_type: gauge - name: AutoTerminationIsClusterIdle.avg type: long description: Indicates whether the cluster is in use. diff --git a/packages/aws/docs/apigateway.md b/packages/aws/docs/apigateway.md index 4f940fc08e5c..7f5da0f1116b 100644 --- a/packages/aws/docs/apigateway.md +++ b/packages/aws/docs/apigateway.md @@ -140,21 +140,22 @@ An example event for `apigateway` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | -| aws.apigateway.metrics.4XXError.sum | The number of client-side errors captured in a given period. | long | | counter | -| aws.apigateway.metrics.4xx.sum | The number of client-side errors captured in a given period. | long | | counter | -| aws.apigateway.metrics.5XXError.sum | The number of server-side errors captured in a given period. | long | | counter | -| aws.apigateway.metrics.5xx.sum | The number of server-side errors captured in a given period. | long | | counter | -| aws.apigateway.metrics.CacheHitCount.sum | The number of requests served from the API cache in a given period. | long | | counter | -| aws.apigateway.metrics.CacheMissCount.sum | The number of requests served from the backend in a given period, when API caching is enabled. | long | | counter | -| aws.apigateway.metrics.ClientError.sum | The number of requests that have a 4XX response returned by API Gateway before the integration is invoked. | long | | counter | -| aws.apigateway.metrics.ConnectCount.sum | The number of messages sent to the connect route integration. | long | | counter | -| aws.apigateway.metrics.Count.sum | The total number of API requests in a given period. | long | | counter | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | +| aws.apigateway.metrics.4XXError.sum | The number of client-side errors captured in a given period. | long | | gauge | +| aws.apigateway.metrics.4xx.sum | The number of client-side errors captured in a given period. | long | | gauge | +| aws.apigateway.metrics.5XXError.sum | The number of server-side errors captured in a given period. | long | | gauge | +| aws.apigateway.metrics.5xx.sum | The number of server-side errors captured in a given period. | long | | gauge | +| aws.apigateway.metrics.CacheHitCount.sum | The number of requests served from the API cache in a given period. | long | | gauge | +| aws.apigateway.metrics.CacheMissCount.sum | The number of requests served from the backend in a given period, when API caching is enabled. | long | | gauge | +| aws.apigateway.metrics.ClientError.sum | The number of requests that have a 4XX response returned by API Gateway before the integration is invoked. | long | | gauge | +| aws.apigateway.metrics.ConnectCount.sum | The number of messages sent to the connect route integration. | long | | gauge | +| aws.apigateway.metrics.Count.sum | The total number of API requests in a given period. | long | | gauge | | aws.apigateway.metrics.DataProcessed.avg | The amount of data processed in bytes. | long | byte | gauge | -| aws.apigateway.metrics.ExecutionError.sum | Errors that occurred when calling the integration. | long | | counter | -| aws.apigateway.metrics.IntegrationError.sum | The number of requests that return a 4XX/5XX response from the integration. | long | | counter | +| aws.apigateway.metrics.ExecutionError.sum | Errors that occurred when calling the integration. | long | | gauge | +| aws.apigateway.metrics.IntegrationError.sum | The number of requests that return a 4XX/5XX response from the integration. | long | | gauge | | aws.apigateway.metrics.IntegrationLatency.avg | The time between when API Gateway relays a request to the backend and when it receives a response from the backend. | long | ms | gauge | | aws.apigateway.metrics.Latency.avg | The time between when API Gateway receives a request from a client and when it returns a response to the client. | long | ms | gauge | -| aws.apigateway.metrics.MessageCount.sum | The number of messages sent to the WebSocket API, either from or to the client. | long | | counter | +| aws.apigateway.metrics.MessageCount.sum | The number of messages sent to the WebSocket API, either from or to the client. | long | | gauge | | aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | | | | aws.dimensions.ApiId | Each API created in API Gateway is assigned a unique ApiId, which is used to distinguish and reference that specific API within the system. | keyword | | | | aws.dimensions.ApiName | It represents a human-readable name that helps identify and differentiate the API within the API Gateway service. | keyword | | | diff --git a/packages/aws/docs/emr.md b/packages/aws/docs/emr.md index 24698fd58132..c52fabbbd4e2 100644 --- a/packages/aws/docs/emr.md +++ b/packages/aws/docs/emr.md @@ -109,21 +109,22 @@ An example event for `emr` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | | | aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | | | | aws.dimensions.JobFlowId | Filters metrics by cluster ID. | keyword | | | -| aws.elasticmapreduce.metrics.AppsCompleted.sum | The number of applications submitted to YARN that have completed. | long | | counter | -| aws.elasticmapreduce.metrics.AppsFailed.sum | The number of applications submitted to YARN that have failed to complete. | long | | counter | -| aws.elasticmapreduce.metrics.AppsKilled.sum | The number of applications submitted to YARN that have been killed. | long | | counter | -| aws.elasticmapreduce.metrics.AppsPending.sum | The number of applications submitted to YARN that are in a pending state. | long | | counter | -| aws.elasticmapreduce.metrics.AppsRunning.sum | The number of applications submitted to YARN that are running. | long | | counter | -| aws.elasticmapreduce.metrics.AppsSubmitted.sum | The number of applications submitted to YARN. | long | | counter | +| aws.elasticmapreduce.metrics.AppsCompleted.sum | The number of applications submitted to YARN that have completed. | long | | gauge | +| aws.elasticmapreduce.metrics.AppsFailed.sum | The number of applications submitted to YARN that have failed to complete. | long | | gauge | +| aws.elasticmapreduce.metrics.AppsKilled.sum | The number of applications submitted to YARN that have been killed. | long | | gauge | +| aws.elasticmapreduce.metrics.AppsPending.sum | The number of applications submitted to YARN that are in a pending state. | long | | gauge | +| aws.elasticmapreduce.metrics.AppsRunning.sum | The number of applications submitted to YARN that are running. | long | | gauge | +| aws.elasticmapreduce.metrics.AppsSubmitted.sum | The number of applications submitted to YARN. | long | | gauge | | aws.elasticmapreduce.metrics.AutoTerminationIsClusterIdle.avg | Indicates whether the cluster is in use. | long | percent | gauge | -| aws.elasticmapreduce.metrics.CapacityRemainingGB.sum | The amount of remaining HDFS disk capacity. | long | byte | counter | -| aws.elasticmapreduce.metrics.ContainerAllocated.sum | The number of resource containers allocated by the ResourceManager. | long | | counter | -| aws.elasticmapreduce.metrics.ContainerPending.sum | The number of containers in the queue that have not yet been allocated. | long | | counter | +| aws.elasticmapreduce.metrics.CapacityRemainingGB.sum | The amount of remaining HDFS disk capacity. | long | byte | gauge | +| aws.elasticmapreduce.metrics.ContainerAllocated.sum | The number of resource containers allocated by the ResourceManager. | long | | gauge | +| aws.elasticmapreduce.metrics.ContainerPending.sum | The number of containers in the queue that have not yet been allocated. | long | | gauge | | aws.elasticmapreduce.metrics.ContainerPendingRatio.avg | The ratio of pending containers to containers allocated | long | percent | gauge | -| aws.elasticmapreduce.metrics.ContainerReserved.sum | The number of containers reserved. | long | | counter | -| aws.elasticmapreduce.metrics.CoreNodesPending.sum | The number of core nodes waiting to be assigned. | long | | counter | +| aws.elasticmapreduce.metrics.ContainerReserved.sum | The number of containers reserved. | long | | gauge | +| aws.elasticmapreduce.metrics.CoreNodesPending.sum | The number of core nodes waiting to be assigned. | long | | gauge | | aws.elasticmapreduce.metrics.CoreNodesRequested.max | The target number of CORE nodes in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.CoreNodesRunning.avg | The current number of CORE nodes running in a cluster. | long | | gauge | | aws.elasticmapreduce.metrics.CoreUnitsRequested.max | The target number of CORE units in a cluster as determined by managed scaling. | long | | gauge | @@ -131,44 +132,44 @@ An example event for `emr` looks as following: | aws.elasticmapreduce.metrics.CoreVCPURequested.max | The target number of CORE vCPUs in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.CoreVCPURunning.avg | The current number of CORE vCPUs running in a cluster. | long | | gauge | | aws.elasticmapreduce.metrics.CorruptBlocks.max | The number of blocks that HDFS reports as corrupted. | long | | gauge | -| aws.elasticmapreduce.metrics.DfsPendingReplicationBlocks.sum | The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests. | long | | counter | -| aws.elasticmapreduce.metrics.HDFSBytesRead.sum | The number of bytes read from HDFS. | long | byte | counter | -| aws.elasticmapreduce.metrics.HDFSBytesWritten.sum | The number of bytes written to HDFS. | long | byte | counter | +| aws.elasticmapreduce.metrics.DfsPendingReplicationBlocks.sum | The status of block replication - blocks being replicated, age of replication requests, and unsuccessful replication requests. | long | | gauge | +| aws.elasticmapreduce.metrics.HDFSBytesRead.sum | The number of bytes read from HDFS. | long | byte | gauge | +| aws.elasticmapreduce.metrics.HDFSBytesWritten.sum | The number of bytes written to HDFS. | long | byte | gauge | | aws.elasticmapreduce.metrics.HDFSUtilization.avg | The percentage of HDFS storage currently used. | double | percent | gauge | | aws.elasticmapreduce.metrics.IsIdle.avg | Indicates that a cluster is no longer performing work, but is still alive and accruing charges. | long | percent | gauge | | aws.elasticmapreduce.metrics.LiveDataNodes.avg | The percentage of data nodes that are receiving work from Hadoop. | double | percent | gauge | -| aws.elasticmapreduce.metrics.MRActiveNodes.sum | The number of nodes presently running MapReduce tasks or jobs. | long | | counter | -| aws.elasticmapreduce.metrics.MRDecommissionedNodes.sum | The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state. | long | | counter | -| aws.elasticmapreduce.metrics.MRLostNodes.sum | The number of nodes allocated to MapReduce that have been marked in a LOST state. | long | | counter | -| aws.elasticmapreduce.metrics.MRRebootedNodes.sum | The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state. | long | | counter | -| aws.elasticmapreduce.metrics.MRTotalNodes.sum | The number of nodes presently available to MapReduce jobs. | long | | counter | -| aws.elasticmapreduce.metrics.MRUnhealthyNodes.sum | The number of nodes available to MapReduce jobs marked in an UNHEALTHY state. | long | | counter | -| aws.elasticmapreduce.metrics.MemoryAllocatedMB.sum | The amount of memory allocated to the cluster. | long | byte | counter | -| aws.elasticmapreduce.metrics.MemoryAvailableMB.sum | The amount of memory available to be allocated. | long | byte | counter | -| aws.elasticmapreduce.metrics.MemoryReservedMB.sum | The amount of memory reserved. | long | byte | counter | -| aws.elasticmapreduce.metrics.MemoryTotalMB.sum | The total amount of memory in the cluster. | long | byte | counter | +| aws.elasticmapreduce.metrics.MRActiveNodes.sum | The number of nodes presently running MapReduce tasks or jobs. | long | | gauge | +| aws.elasticmapreduce.metrics.MRDecommissionedNodes.sum | The number of nodes allocated to MapReduce applications that have been marked in a DECOMMISSIONED state. | long | | gauge | +| aws.elasticmapreduce.metrics.MRLostNodes.sum | The number of nodes allocated to MapReduce that have been marked in a LOST state. | long | | gauge | +| aws.elasticmapreduce.metrics.MRRebootedNodes.sum | The number of nodes available to MapReduce that have been rebooted and marked in a REBOOTED state. | long | | gauge | +| aws.elasticmapreduce.metrics.MRTotalNodes.sum | The number of nodes presently available to MapReduce jobs. | long | | gauge | +| aws.elasticmapreduce.metrics.MRUnhealthyNodes.sum | The number of nodes available to MapReduce jobs marked in an UNHEALTHY state. | long | | gauge | +| aws.elasticmapreduce.metrics.MemoryAllocatedMB.sum | The amount of memory allocated to the cluster. | long | byte | gauge | +| aws.elasticmapreduce.metrics.MemoryAvailableMB.sum | The amount of memory available to be allocated. | long | byte | gauge | +| aws.elasticmapreduce.metrics.MemoryReservedMB.sum | The amount of memory reserved. | long | byte | gauge | +| aws.elasticmapreduce.metrics.MemoryTotalMB.sum | The total amount of memory in the cluster. | long | byte | gauge | | aws.elasticmapreduce.metrics.MissingBlocks.max | The number of blocks in which HDFS has no replicas. | long | | gauge | -| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRequested.sum | The number of requested master nodes. | long | | counter | -| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunning.sum | The number of running master nodes. | long | | counter | +| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRequested.sum | The number of requested master nodes. | long | | gauge | +| aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunning.sum | The number of running master nodes. | long | | gauge | | aws.elasticmapreduce.metrics.MultiMasterInstanceGroupNodesRunningPercentage.avg | The percentage of master nodes that are running over the requested master node instance count. | double | percent | gauge | -| aws.elasticmapreduce.metrics.PendingDeletionBlocks.sum | The number of blocks marked for deletion. | long | | counter | -| aws.elasticmapreduce.metrics.S3BytesRead.sum | The number of bytes read from Amazon S3. | long | byte | counter | -| aws.elasticmapreduce.metrics.S3BytesWritten.sum | The number of bytes written to Amazon S3. | long | byte | counter | +| aws.elasticmapreduce.metrics.PendingDeletionBlocks.sum | The number of blocks marked for deletion. | long | | gauge | +| aws.elasticmapreduce.metrics.S3BytesRead.sum | The number of bytes read from Amazon S3. | long | byte | gauge | +| aws.elasticmapreduce.metrics.S3BytesWritten.sum | The number of bytes written to Amazon S3. | long | byte | gauge | | aws.elasticmapreduce.metrics.TaskNodesRequested.max | The target number of TASK nodes in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TaskNodesRunning.avg | The current number of TASK nodes running in a cluster. | long | | gauge | | aws.elasticmapreduce.metrics.TaskUnitsRequested.max | The target number of TASK units in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TaskUnitsRunning.avg | The current number of TASK units running in a cluster. | long | | gauge | | aws.elasticmapreduce.metrics.TaskVCPURequested.max | The target number of TASK vCPUs in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TaskVCPURunning.avg | The current number of TASK vCPUs running in a cluster. | long | | gauge | -| aws.elasticmapreduce.metrics.TotalLoad.sum | The total number of concurrent data transfers. | long | | counter | +| aws.elasticmapreduce.metrics.TotalLoad.sum | The total number of concurrent data transfers. | long | | gauge | | aws.elasticmapreduce.metrics.TotalNodesRequested.max | The target total number of nodes in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TotalNodesRunning.avg | The current total number of nodes available in a running cluster. | long | | gauge | -| aws.elasticmapreduce.metrics.TotalNotebookKernels.sum | The total number of running and idle notebook kernels on the cluster. | long | | counter | +| aws.elasticmapreduce.metrics.TotalNotebookKernels.sum | The total number of running and idle notebook kernels on the cluster. | long | | gauge | | aws.elasticmapreduce.metrics.TotalUnitsRequested.max | The target total number of units in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TotalUnitsRunning.avg | The current total number of units available in a running cluster. | long | | gauge | | aws.elasticmapreduce.metrics.TotalVCPURequested.max | The target total number of vCPUs in a cluster as determined by managed scaling. | long | | gauge | | aws.elasticmapreduce.metrics.TotalVCPURunning.avg | The current total number of vCPUs available in a running cluster. | long | | gauge | -| aws.elasticmapreduce.metrics.UnderReplicatedBlocks.sum | The number of blocks that need to be replicated one or more times. | long | | counter | +| aws.elasticmapreduce.metrics.UnderReplicatedBlocks.sum | The number of blocks that need to be replicated one or more times. | long | | gauge | | aws.elasticmapreduce.metrics.YARNMemoryAvailablePercentage.avg | The percentage of remaining memory available to YARN | double | percent | gauge | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | | | aws.tags.\* | Tag key value pairs from aws resources. | object | | | diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 399175d10e67..f9b38c0e9581 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: aws title: AWS -version: 1.46.3 +version: 1.46.6 license: basic description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 16a470a557f5..ded00df2f6a6 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.1" + changes: + - description: Fix grok to be aware of fman_fp_image + type: bugfix + link: https://github.com/elastic/integrations/pull/6930 - version: "1.16.0" changes: - description: Adding Timezone Map advanced configuration option diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log index 17ba60830b87..c69a20507541 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log @@ -16,4 +16,11 @@ Mar 24 18:06:00 192.168.100.2 1991220: Mar 24 18:06:00.364 UTC: %SYS-6-LOGOUT: U Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (*, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 Mar 24 17:37:39 192.168.100.2 1991221: Mar 24 17:37:39 UTC: %PIM-SW1-6-INVALID_RP_JOIN: Received (10.50.22.5, 10.36.2.78) Join from 10.4.5.66 for invalid RP 10.3.66.3 Mar 24 12:09:35 192.168.100.2 1991217: Mar 24 12:09:35.367: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface eth0 -Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 \ No newline at end of file +Mar 24 12:06:47 192.168.100.2 1991218: Mar 24 12:06:47.099: %CCH323-6-CALL_PRESERVED: cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19 +Jul 11 09:34:00 my-router-hostname 1663312: Jul 11 09:34:00.020: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted tcp 172.16.0.26(59144) -> 10.100.8.34(1103), 1 packet +Jul 11 09:31:03 my-router-hostname 1663410: Jul 11 09:31:03.762: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list 110 denied tcp 10.100.8.34(59120) -> 172.16.0.26(7774), 1 packet +Jul 11 09:34:00 my-router-hostname 1663469: Jul 11 09:34:00.334: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted udp 172.16.0.26(1985) -> 10.100.8.34(1985), 327 packets +Jul 11 09:34:00 my-router-hostname 1663511: Jul 11 09:34:00.209: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 denied udp 10.100.8.34(1985) -> 172.16.0.26(1985), 342 packets +Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list ACL denied udp 10.10.10.10(52361) -> 10.100.8.34(10001), 1 packet +Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 172.16.0.26 -> 10.100.8.34 (8/0), 2 packets +Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:35:28.207: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 10.100.8.34 -> 172.16.0.26 (8/0), 1 packet \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json index bf45c0b7530d..4fe3ac565295 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1198,7 +1198,7 @@ "hostname": "192.168.100.2" } }, - "message": "cch323_h225_handle_conn_loss: H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", + "message": "H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "observer": { "product": "IOS", "type": "firewall", @@ -1207,6 +1207,479 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2023-07-11T09:34:00.020Z", + "cisco": { + "ios": { + "access_list": "internet_in_gig0", + "facility": "FMANFP", + "sequence": "1663312" + } + }, + "destination": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "port": 1103 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "code": "IPACCESSLOGP", + "original": "Jul 11 09:34:00 my-router-hostname 1663312: Jul 11 09:34:00.020: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted tcp 172.16.0.26(59144) -\u003e 10.100.8.34(1103), 1 packet", + "provider": "firewall", + "sequence": 1663312, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "my-router-hostname" + } + }, + "message": "list internet_in_gig0 permitted tcp 172.16.0.26(59144) -\u003e 10.100.8.34(1103), 1 packet", + "network": { + "community_id": "1:KXW3u/74dvvbFZ7Ewo9z4chd5T4=", + "packets": 1, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "172.16.0.26", + "10.100.8.34" + ] + }, + "source": { + "address": "172.16.0.26", + "ip": "172.16.0.26", + "packets": 1, + "port": 59144 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-07-11T09:31:03.762Z", + "cisco": { + "ios": { + "access_list": "110", + "facility": "FMANFP", + "sequence": "1663410" + } + }, + "destination": { + "address": "172.16.0.26", + "ip": "172.16.0.26", + "port": 7774 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "code": "IPACCESSLOGP", + "original": "Jul 11 09:31:03 my-router-hostname 1663410: Jul 11 09:31:03.762: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list 110 denied tcp 10.100.8.34(59120) -\u003e 172.16.0.26(7774), 1 packet", + "provider": "firewall", + "sequence": 1663410, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "my-router-hostname" + } + }, + "message": "list 110 denied tcp 10.100.8.34(59120) -\u003e 172.16.0.26(7774), 1 packet", + "network": { + "community_id": "1:e8Y05uGbOy3+E9kG3gX0ri93utw=", + "packets": 1, + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.100.8.34", + "172.16.0.26" + ] + }, + "source": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "packets": 1, + "port": 59120 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-07-11T09:34:00.334Z", + "cisco": { + "ios": { + "access_list": "internet_in_gig0", + "facility": "FMANFP", + "sequence": "1663469" + } + }, + "destination": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "port": 1985 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "code": "IPACCESSLOGP", + "original": "Jul 11 09:34:00 my-router-hostname 1663469: Jul 11 09:34:00.334: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 permitted udp 172.16.0.26(1985) -\u003e 10.100.8.34(1985), 327 packets", + "provider": "firewall", + "sequence": 1663469, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "allowed" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "my-router-hostname" + } + }, + "message": "list internet_in_gig0 permitted udp 172.16.0.26(1985) -\u003e 10.100.8.34(1985), 327 packets", + "network": { + "community_id": "1:4IV7i5VTdXeQIUxYQNz2lfhh9eE=", + "packets": 327, + "transport": "udp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "172.16.0.26", + "10.100.8.34" + ] + }, + "source": { + "address": "172.16.0.26", + "ip": "172.16.0.26", + "packets": 327, + "port": 1985 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-07-11T09:34:00.209Z", + "cisco": { + "ios": { + "access_list": "internet_in_gig0", + "facility": "FMANFP", + "sequence": "1663511" + } + }, + "destination": { + "address": "172.16.0.26", + "ip": "172.16.0.26", + "port": 1985 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "code": "IPACCESSLOGP", + "original": "Jul 11 09:34:00 my-router-hostname 1663511: Jul 11 09:34:00.209: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list internet_in_gig0 denied udp 10.100.8.34(1985) -\u003e 172.16.0.26(1985), 342 packets", + "provider": "firewall", + "sequence": 1663511, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "my-router-hostname" + } + }, + "message": "list internet_in_gig0 denied udp 10.100.8.34(1985) -\u003e 172.16.0.26(1985), 342 packets", + "network": { + "community_id": "1:4IV7i5VTdXeQIUxYQNz2lfhh9eE=", + "packets": 342, + "transport": "udp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.100.8.34", + "172.16.0.26" + ] + }, + "source": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "packets": 342, + "port": 1985 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-06-10T23:34:58.206Z", + "cisco": { + "ios": { + "access_list": "ACL", + "facility": "FMANFP", + "sequence": "1663511" + } + }, + "destination": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "port": 10001 + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "code": "IPACCESSLOGP", + "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list ACL denied udp 10.10.10.10(52361) -\u003e 10.100.8.34(10001), 1 packet", + "provider": "firewall", + "sequence": 1663511, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "denied" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "10.0.0.1" + } + }, + "message": "list ACL denied udp 10.10.10.10(52361) -\u003e 10.100.8.34(10001), 1 packet", + "network": { + "community_id": "1:7HdATA0Zd7fB8RBwRLEo/zNyyLQ=", + "packets": 1, + "transport": "udp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.10.10.10", + "10.100.8.34" + ] + }, + "source": { + "address": "10.10.10.10", + "ip": "10.10.10.10", + "packets": 1, + "port": 52361 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-06-10T23:34:58.206Z", + "cisco": { + "ios": { + "access_list": "ACL_TEST", + "facility": "FMANFP", + "sequence": "1663511" + } + }, + "destination": { + "address": "10.100.8.34", + "ip": "10.100.8.34" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "code": "IPACCESSLOGDP", + "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:34:58.206: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 172.16.0.26 -\u003e 10.100.8.34 (8/0), 2 packets", + "provider": "firewall", + "sequence": 1663511, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "allowed" + ] + }, + "icmp": { + "code": "0", + "type": "8" + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "10.0.0.1" + } + }, + "message": "list ACL_TEST permitted icmp 172.16.0.26 -\u003e 10.100.8.34 (8/0), 2 packets", + "network": { + "community_id": "1:OvCASybztHusF+Fy8s345w5/IZw=", + "packets": 2, + "transport": "icmp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "172.16.0.26", + "10.100.8.34" + ] + }, + "source": { + "address": "172.16.0.26", + "ip": "172.16.0.26", + "packets": 2 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-06-10T23:35:28.207Z", + "cisco": { + "ios": { + "access_list": "ACL_TEST", + "facility": "FMANFP", + "sequence": "1663511" + } + }, + "destination": { + "address": "172.16.0.26", + "ip": "172.16.0.26" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "code": "IPACCESSLOGDP", + "original": "Jun 10 23:34:58 10.0.0.1 1663511: Jun 10 23:35:28.207: %FMANFP-6-IPACCESSLOGDP: F0: fman_fp_image: list ACL_TEST permitted icmp 10.100.8.34 -\u003e 172.16.0.26 (8/0), 1 packet", + "provider": "firewall", + "sequence": 1663511, + "severity": 6, + "timezone": "UTC", + "type": [ + "info", + "allowed" + ] + }, + "icmp": { + "code": "0", + "type": "8" + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "10.0.0.1" + } + }, + "message": "list ACL_TEST permitted icmp 10.100.8.34 -\u003e 172.16.0.26 (8/0), 1 packet", + "network": { + "community_id": "1:0NC2mwr4V+bYFoMF3BsibI/mn0Y=", + "packets": 1, + "transport": "icmp", + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.100.8.34", + "172.16.0.26" + ] + }, + "source": { + "address": "10.100.8.34", + "ip": "10.100.8.34", + "packets": 1 + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index d65a748de6b6..0fa50bf48efc 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -120,7 +120,7 @@ processors: field: message tag: grok_message patterns: - - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" + - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}:\\s+(\\w+\\d+(\\/\\d+)?\\:\\s+)?([a-zA-Z0-9_]+\\:\\s+)?%{GREEDYDATA:message}" - convert: field: event.severity type: long diff --git a/packages/cisco_ios/data_stream/log/sample_event.json b/packages/cisco_ios/data_stream/log/sample_event.json index 56aa524fc5e5..7437c14d6cf0 100644 --- a/packages/cisco_ios/data_stream/log/sample_event.json +++ b/packages/cisco_ios/data_stream/log/sample_event.json @@ -1,16 +1,16 @@ { - "@timestamp": "2022-01-06T22:11:43.398+11:00", + "@timestamp": "2022-01-06T20:52:12.861Z", "agent": { - "ephemeral_id": "b4eeb540-5cc1-4878-b94d-09d0a0d440dd", - "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6", + "ephemeral_id": "960a0fda-a7b7-4362-9018-34b1d0d119c4", + "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.6.2" + "version": "8.0.0" }, "cisco": { "ios": { - "facility": "FOO", - "message_count": 2361044 + "facility": "SYS", + "message_count": 2360957 } }, "data_stream": { @@ -22,42 +22,40 @@ "version": "8.8.0" }, "elastic_agent": { - "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6", + "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f", "snapshot": false, - "version": "8.6.2" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "category": [ "network" ], - "code": "BAR", + "code": "CONFIG_I", "dataset": "cisco_ios.log", - "ingested": "2023-06-01T11:59:13Z", - "original": "\u003c190\u003e2361044: sw01: Jan 6 2022 22:11:43.398 AEST: %FOO-6-BAR: Test date format.", + "ingested": "2023-07-13T09:20:48Z", + "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", "provider": "firewall", - "sequence": 2361044, - "severity": 6, - "timezone": "Australia/Sydney", + "sequence": 2360957, + "severity": 5, + "timezone": "+00:00", "type": [ "info" ] }, "input": { - "type": "log" + "type": "tcp" }, "log": { - "file": { - "path": "/tmp/service_logs/cisco-ios-timezones.log" + "level": "notification", + "source": { + "address": "172.25.0.4:46792" }, - "level": "informational", - "offset": 0, "syslog": { - "hostname": "sw01", - "priority": 190 + "priority": 189 } }, - "message": "Test date format.", + "message": "Configured from console by akroh on vty0 (10.100.11.10)", "observer": { "product": "IOS", "type": "firewall", diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md index 35016ebd54be..6f1960036257 100644 --- a/packages/cisco_ios/docs/README.md +++ b/packages/cisco_ios/docs/README.md @@ -24,18 +24,18 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2022-01-06T22:11:43.398+11:00", + "@timestamp": "2022-01-06T20:52:12.861Z", "agent": { - "ephemeral_id": "b4eeb540-5cc1-4878-b94d-09d0a0d440dd", - "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6", + "ephemeral_id": "960a0fda-a7b7-4362-9018-34b1d0d119c4", + "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.6.2" + "version": "8.0.0" }, "cisco": { "ios": { - "facility": "FOO", - "message_count": 2361044 + "facility": "SYS", + "message_count": 2360957 } }, "data_stream": { @@ -47,42 +47,40 @@ An example event for `log` looks as following: "version": "8.8.0" }, "elastic_agent": { - "id": "7fcefa24-63f3-457e-b11c-ccf7f1edaad6", + "id": "f00ff835-626e-4a18-a8a2-0bb3ebb7503f", "snapshot": false, - "version": "8.6.2" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "category": [ "network" ], - "code": "BAR", + "code": "CONFIG_I", "dataset": "cisco_ios.log", - "ingested": "2023-06-01T11:59:13Z", - "original": "\u003c190\u003e2361044: sw01: Jan 6 2022 22:11:43.398 AEST: %FOO-6-BAR: Test date format.", + "ingested": "2023-07-13T09:20:48Z", + "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", "provider": "firewall", - "sequence": 2361044, - "severity": 6, - "timezone": "Australia/Sydney", + "sequence": 2360957, + "severity": 5, + "timezone": "+00:00", "type": [ "info" ] }, "input": { - "type": "log" + "type": "tcp" }, "log": { - "file": { - "path": "/tmp/service_logs/cisco-ios-timezones.log" + "level": "notification", + "source": { + "address": "172.25.0.4:46792" }, - "level": "informational", - "offset": 0, "syslog": { - "hostname": "sw01", - "priority": 190 + "priority": 189 } }, - "message": "Test date format.", + "message": "Configured from console by akroh on vty0 (10.100.11.10)", "observer": { "product": "IOS", "type": "firewall", diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index c713241c0136..4e8250b500b5 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: cisco_ios title: Cisco IOS -version: "1.16.0" +version: "1.16.1" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 8bd4fb1e1cc4..b19d749a9c6f 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Convert dashboards to Lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/6898 - version: "1.12.0" changes: - description: Document valid duration units. diff --git a/packages/m365_defender/img/m365-defender-dashboard-device.png b/packages/m365_defender/img/m365-defender-dashboard-device.png index 31a865b48e3c..f229d6885ec3 100644 Binary files a/packages/m365_defender/img/m365-defender-dashboard-device.png and b/packages/m365_defender/img/m365-defender-dashboard-device.png differ diff --git a/packages/m365_defender/img/m365-defender-dashboard-incident.png b/packages/m365_defender/img/m365-defender-dashboard-incident.png new file mode 100644 index 000000000000..278a02784f0b Binary files /dev/null and b/packages/m365_defender/img/m365-defender-dashboard-incident.png differ diff --git a/packages/m365_defender/img/m365-defender-dashboard.png b/packages/m365_defender/img/m365-defender-dashboard.png index 10114c34e31c..ee2970ff4407 100644 Binary files a/packages/m365_defender/img/m365-defender-dashboard.png and b/packages/m365_defender/img/m365-defender-dashboard.png differ diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json index 20363c06fc9a..8111c55838be 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Overview of Microsoft 365 Defender Alert Events.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -70,6 +69,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": true, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -110,106 +111,152 @@ "panelIndex": "5a7c7a42-12a4-49f3-a9be-cddff83fea6e", "title": "Dashboards [Logs Microsoft 365 Defender]", "type": "visualization", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Severity" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "m365_defender.event.severity : \"high\" " + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7c6f0141-f2b6-470a-b228-4d171ba5ec9c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7c6f0141-f2b6-470a-b228-4d171ba5ec9c": { + "columnOrder": [ + "c6bf301d-636a-4542-823f-2d5560351433", + "f9fc8f3a-2689-47a0-be9c-4b1475047b38", + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X0", + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X1" + ], + "columns": { + "c6bf301d-636a-4542-823f-2d5560351433": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "m365_defender.event.severity : \"high\" " + }, + "label": "High" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.severity : \"medium\"" + }, + "label": "Medium" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.severity : \"low\" " + }, + "label": "Low" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.severity : \"informational\"" + }, + "label": "informational" + } + ] + }, + "scale": "ordinal" }, - "label": "High" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.severity : \"medium\"" + "f9fc8f3a-2689-47a0-be9c-4b1475047b38": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Severity", + "operationType": "formula", + "params": { + "formula": "defaults(count(), 0)", + "isFormulaBroken": false + }, + "references": [ + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X1" + ], + "scale": "ratio" }, - "label": "Medium" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.severity : \"low\" " + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Severity", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" }, - "label": "Low" + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Severity", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X0", + 0 + ], + "location": { + "max": 20, + "min": 0 + }, + "name": "defaults", + "text": "defaults(count(), 0)", + "type": "function" + } + }, + "references": [ + "f9fc8f3a-2689-47a0-be9c-4b1475047b38X0" + ], + "scale": "ratio" + } }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.severity : \"informational\"" - }, - "label": "informational" - } - ] - }, - "schema": "group", - "type": "filters" - } - ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 + "incompleteColumns": {} + } } - ], - "invertColors": false, - "labels": { - "show": true }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false + "textBased": { + "layers": {} + } }, - "type": "metric" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "c6bf301d-636a-4542-823f-2d5560351433", + "color": "#6092C0", + "layerId": "7c6f0141-f2b6-470a-b228-4d171ba5ec9c", + "layerType": "data", + "metricAccessor": "f9fc8f3a-2689-47a0-be9c-4b1475047b38" + } }, - "title": "", - "type": "metric", - "uiState": {} - } + "title": "Metric visualization (converted)", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, "gridData": { "h": 10, @@ -219,9 +266,8 @@ "y": 2 }, "panelIndex": "f7f48432-a963-4c54-860d-8a33a26940c5", - "title": "Alert Severity Information [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -240,7 +286,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0bfbdd96-9c40-4fe8-808c-86624470ce91": { "columnOrder": [ @@ -274,7 +320,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -291,15 +337,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "96f53808-7c6b-4b58-9681-31185fb341b7" - ], "layerId": "0bfbdd96-9c40-4fe8-808c-86624470ce91", "layerType": "data", "legendDisplay": "default", - "metric": "f99388d1-ad86-4951-9a54-adbcc9c30e54", + "legendSize": "auto", + "metrics": [ + "f99388d1-ad86-4951-9a54-adbcc9c30e54" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "96f53808-7c6b-4b58-9681-31185fb341b7" + ] } ], "shape": "pie" @@ -322,7 +371,7 @@ "panelIndex": "17575d40-8cb8-4a3e-bc13-b8ef8a09123f", "title": "Distribution of Alert Events by Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -341,7 +390,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f47a423f-8940-4b5b-8deb-c4351b75d7d5": { "columnOrder": [ @@ -357,7 +406,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "4b06f22b-cbf2-454e-9faa-cb77ece83c86": { "customLabel": true, @@ -385,6 +434,7 @@ "label": "Timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -418,6 +468,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -448,7 +499,7 @@ "panelIndex": "ed37facb-6a06-448e-8b27-33a266d36ede", "title": "Severity of Alerts Over Time [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -467,7 +518,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c947d589-efac-479f-a315-6eba984ef356": { "columnOrder": [ @@ -501,7 +552,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -518,15 +569,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "93a0f8fa-463d-4bf8-a124-1f32e5fc7723" - ], "layerId": "c947d589-efac-479f-a315-6eba984ef356", "layerType": "data", "legendDisplay": "default", - "metric": "a59d0987-6709-4870-8ec7-a2bde8631214", + "legendSize": "auto", + "metrics": [ + "a59d0987-6709-4870-8ec7-a2bde8631214" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "93a0f8fa-463d-4bf8-a124-1f32e5fc7723" + ] } ], "shape": "pie" @@ -549,7 +603,7 @@ "panelIndex": "b36c4cb0-fb8d-4587-9175-e8993c4345f2", "title": "Distribution of Alert Events by AlertEvidence Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -568,7 +622,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "43b1d1bf-cd29-446c-9ead-24eab1414c58": { "columnOrder": [ @@ -583,7 +637,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "f889e677-8053-4b7f-a3ee-e40f13196545": { "customLabel": true, @@ -619,15 +673,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "f889e677-8053-4b7f-a3ee-e40f13196545" - ], "layerId": "43b1d1bf-cd29-446c-9ead-24eab1414c58", "layerType": "data", "legendDisplay": "default", - "metric": "c8e84e65-9c5a-4da4-aff7-c06d0019f616", + "legendSize": "auto", + "metrics": [ + "c8e84e65-9c5a-4da4-aff7-c06d0019f616" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "f889e677-8053-4b7f-a3ee-e40f13196545" + ] } ], "shape": "pie" @@ -650,7 +707,7 @@ "panelIndex": "b8b9e1dc-f5e5-4cb4-b935-6f6bc8deeb45", "title": "Distribution of Alert Events by AlertInfo Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -669,7 +726,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7dcdc94e-03b5-4de3-ad69-86fc6fd75bb9": { "columnOrder": [ @@ -703,7 +760,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -732,6 +789,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -762,7 +820,7 @@ "panelIndex": "f7b0e2ea-30a7-4ea8-84a4-ea258a438dd0", "title": "Distribution of Alert Events by Detection Source [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -781,7 +839,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "526d57ca-b35a-482d-83c1-14aaf56e2fdb": { "columnOrder": [ @@ -796,7 +854,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d5a2d011-e9ae-4e02-adda-9768c2555ca2": { "customLabel": true, @@ -832,15 +890,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d5a2d011-e9ae-4e02-adda-9768c2555ca2" - ], "layerId": "526d57ca-b35a-482d-83c1-14aaf56e2fdb", "layerType": "data", "legendDisplay": "default", - "metric": "a0d68c67-c705-4999-9254-726420d4596f", + "legendSize": "auto", + "metrics": [ + "a0d68c67-c705-4999-9254-726420d4596f" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d5a2d011-e9ae-4e02-adda-9768c2555ca2" + ] } ], "shape": "pie" @@ -863,7 +924,7 @@ "panelIndex": "1bdac8c4-40d5-4256-9678-d0be8da4e90f", "title": "Distribution of Alert Events by Entity Type [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -882,7 +943,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "85022ca8-d03d-46e1-a69a-00f3f3f296ce": { "columnOrder": [ @@ -897,7 +958,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "561e7a47-3de8-416d-8c1b-0b27f2b8c430": { "customLabel": true, @@ -933,15 +994,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "561e7a47-3de8-416d-8c1b-0b27f2b8c430" - ], "layerId": "85022ca8-d03d-46e1-a69a-00f3f3f296ce", "layerType": "data", "legendDisplay": "default", - "metric": "4b18a23e-a1f7-4e0c-ba99-bee954fcf901", + "legendSize": "auto", + "metrics": [ + "4b18a23e-a1f7-4e0c-ba99-bee954fcf901" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "561e7a47-3de8-416d-8c1b-0b27f2b8c430" + ] } ], "shape": "pie" @@ -964,7 +1028,7 @@ "panelIndex": "425863c5-767c-46b4-a8d5-f3457813c1c5", "title": "Distribution of Alert Events by Service Source [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -983,7 +1047,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "99c43573-42fe-4560-b82c-6747f72c15ca": { "columnOrder": [ @@ -998,7 +1062,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "b1160ab3-8939-40d7-8018-5409a8d05275": { "customLabel": true, @@ -1041,7 +1105,9 @@ } ], "layerId": "99c43573-42fe-4560-b82c-6747f72c15ca", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1061,7 +1127,7 @@ "panelIndex": "aee72ecd-3e85-473d-ae8e-a4b8c30eb35b", "title": "Top 10 Attack Techniques that Triggered the Alert [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1080,7 +1146,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ded3c9d4-9e45-44b1-be3b-6efc126abff4": { "columnOrder": [ @@ -1095,7 +1161,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "990c5af3-5dc0-4548-af9d-d826084a38a0": { "customLabel": true, @@ -1131,15 +1197,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "990c5af3-5dc0-4548-af9d-d826084a38a0" - ], "layerId": "ded3c9d4-9e45-44b1-be3b-6efc126abff4", "layerType": "data", "legendDisplay": "default", - "metric": "60dd110b-2302-43cf-b91c-6ff59f47c024", + "legendSize": "auto", + "metrics": [ + "60dd110b-2302-43cf-b91c-6ff59f47c024" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "990c5af3-5dc0-4548-af9d-d826084a38a0" + ] } ], "shape": "pie" @@ -1162,7 +1231,7 @@ "panelIndex": "63038c1f-4fc2-4223-8093-1d531dcebf55", "title": "Distribution of Alert Events by Evidence Role [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1181,7 +1250,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "5f8abf5a-28b8-4645-8cd9-c4e9ba781d5b": { "columnOrder": [ @@ -1215,7 +1284,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1232,15 +1301,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "4d52046b-4ecb-4596-815f-5ae8c002ca2c" - ], "layerId": "5f8abf5a-28b8-4645-8cd9-c4e9ba781d5b", "layerType": "data", "legendDisplay": "default", - "metric": "c7348f0f-3f29-40f3-8403-e8d5ef1124cd", + "legendSize": "auto", + "metrics": [ + "c7348f0f-3f29-40f3-8403-e8d5ef1124cd" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "4d52046b-4ecb-4596-815f-5ae8c002ca2c" + ] } ], "shape": "pie" @@ -1263,7 +1335,7 @@ "panelIndex": "b5ea653b-40c9-4909-b801-ac6d91c0ded1", "title": "Distribution of Alert Events by Application [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1282,7 +1354,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e45f17e1-69db-48e1-878c-c3ca4fcf6d50": { "columnOrder": [ @@ -1297,7 +1369,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "2ce07d3c-213b-4a78-ac11-7e0657fe8d93": { "customLabel": true, @@ -1341,7 +1413,9 @@ } ], "layerId": "e45f17e1-69db-48e1-878c-c3ca4fcf6d50", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1361,7 +1435,7 @@ "panelIndex": "689534bf-7bd5-47c3-b2e4-05ad3e05065c", "title": "Top 10 User with Highest Alert [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1380,7 +1454,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "cc1cd5fe-470e-413d-b165-78bb959fdcae": { "columnOrder": [ @@ -1395,7 +1469,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "3c99dee2-cbde-488f-9dd2-e1135ef3d9a2": { "customLabel": true, @@ -1439,7 +1513,9 @@ } ], "layerId": "cc1cd5fe-470e-413d-b165-78bb959fdcae", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1459,17 +1535,18 @@ "panelIndex": "8a6b9b07-4d25-4e16-9d75-7cef9ae0b6d5", "title": "Top 10 Device with Highest Alert [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Alert Events", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T16:03:22.216Z", "id": "m365_defender-2690a440-7235-11ed-8657-c59f6ece834c", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { @@ -1484,7 +1561,7 @@ }, { "id": "logs-*", - "name": "f7f48432-a963-4c54-860d-8a33a26940c5:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "f7f48432-a963-4c54-860d-8a33a26940c5:indexpattern-datasource-layer-7c6f0141-f2b6-470a-b228-4d171ba5ec9c", "type": "index-pattern" }, { diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json index 7fab4d94931e..66f344c0e059 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json @@ -116,7 +116,8 @@ "title": "", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, "gridData": { "h": 2, @@ -128,7 +129,7 @@ "panelIndex": "50e3ae2b-7187-469b-a991-13ea4569492d", "title": "Dashboards [Logs Microsoft 365 Defender]", "type": "visualization", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -147,7 +148,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "df8ea671-9e96-4b30-85c3-e0eb634ee70e": { "columnOrder": [ @@ -162,7 +163,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "7feaef80-0ace-4508-8ea4-795a53a2ecd0": { "customLabel": true, @@ -198,15 +199,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "7feaef80-0ace-4508-8ea4-795a53a2ecd0" - ], "layerId": "df8ea671-9e96-4b30-85c3-e0eb634ee70e", "layerType": "data", "legendDisplay": "default", - "metric": "44fe2bf6-6c4f-481e-bda4-1e05796174aa", + "legendSize": "auto", + "metrics": [ + "44fe2bf6-6c4f-481e-bda4-1e05796174aa" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "7feaef80-0ace-4508-8ea4-795a53a2ecd0" + ] } ], "shape": "pie" @@ -217,7 +221,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -229,7 +234,7 @@ "panelIndex": "6939c76b-e05e-41fb-8728-69ce782d3d09", "title": "Distribution of Email Events by Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -248,7 +253,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f3aaa0a4-ce4a-45cb-a01a-3c94599f57ff": { "columnOrder": [ @@ -263,7 +268,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "4f5bbd91-692c-4e56-a5e7-1549c9cce4e7": { "customLabel": true, @@ -311,6 +316,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -329,7 +335,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -341,7 +348,7 @@ "panelIndex": "5572c205-4f5b-4ac8-bc7d-695de2ef1321", "title": "Distribution of Email Events by Threat Name [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -360,7 +367,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c2532b46-df13-456c-99b6-5204add46c0f": { "columnOrder": [ @@ -394,7 +401,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -411,15 +418,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "301d9024-a2a3-4c2d-9df0-275de1d39f03" - ], "layerId": "c2532b46-df13-456c-99b6-5204add46c0f", "layerType": "data", "legendDisplay": "default", - "metric": "81716fd7-8ff7-46dd-913a-906e436c3ef4", + "legendSize": "auto", + "metrics": [ + "81716fd7-8ff7-46dd-913a-906e436c3ef4" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "301d9024-a2a3-4c2d-9df0-275de1d39f03" + ] } ], "shape": "pie" @@ -430,7 +440,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -442,7 +453,7 @@ "panelIndex": "fcb067a8-62ac-4774-b7d9-613ee37eae05", "title": "Distribution of Email Events by Threat Type [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -461,7 +472,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e51ee8f9-b1dc-4f35-8d22-bde68fe347a9": { "columnOrder": [ @@ -495,7 +506,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -512,15 +523,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d99047d5-6011-44ad-9807-478d1b8dbee5" - ], "layerId": "e51ee8f9-b1dc-4f35-8d22-bde68fe347a9", "layerType": "data", "legendDisplay": "default", - "metric": "e2ae488c-1542-473a-81d3-313d647305c4", + "legendSize": "auto", + "metrics": [ + "e2ae488c-1542-473a-81d3-313d647305c4" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d99047d5-6011-44ad-9807-478d1b8dbee5" + ] } ], "shape": "pie" @@ -531,7 +545,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -543,7 +558,7 @@ "panelIndex": "37e4845f-8d0a-49c0-8638-ff98d662c7bb", "title": "Distribution of Email Events by Email Direction [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -562,7 +577,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f67b6a79-93f1-49c2-82ab-8ad2cc4efb20": { "columnOrder": [ @@ -596,7 +611,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -613,15 +628,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "1739a22d-801c-4a23-a306-e5660e495124" - ], "layerId": "f67b6a79-93f1-49c2-82ab-8ad2cc4efb20", "layerType": "data", "legendDisplay": "default", - "metric": "96355e27-9e06-420d-ba3b-5b055b3698bf", + "legendSize": "auto", + "metrics": [ + "96355e27-9e06-420d-ba3b-5b055b3698bf" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "1739a22d-801c-4a23-a306-e5660e495124" + ] } ], "shape": "pie" @@ -632,7 +650,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -644,7 +663,7 @@ "panelIndex": "089de1f6-3285-40ff-bde9-6e9e97efa3b9", "title": "Distribution of Email Events by Delivery Action [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -663,7 +682,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b48c5875-8d80-41ee-986b-171379a92ce9": { "columnOrder": [ @@ -697,7 +716,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -726,6 +745,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -744,7 +764,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -756,7 +777,7 @@ "panelIndex": "34103476-8fd1-4170-b643-c0f4234d87bc", "title": "Distribution of Email Events by Email Action [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -775,7 +796,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "610fcf9a-637e-4ef0-a825-bdc2b3610bd3": { "columnOrder": [ @@ -790,7 +811,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "e320bee1-b830-456a-9f1a-28b386ca575e": { "customLabel": true, @@ -838,6 +859,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -856,7 +878,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -868,7 +891,7 @@ "panelIndex": "3e82a1c4-532d-46aa-90a1-b4604cc81c54", "title": "Distribution of Email Events by Email Language [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -887,7 +910,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "939806bc-53d9-4a84-af61-05e5d5bb793b": { "columnOrder": [ @@ -902,7 +925,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "c8fbe70d-cae7-4e74-a460-095660138c61": { "customLabel": true, @@ -950,6 +973,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -968,7 +992,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -980,17 +1005,18 @@ "panelIndex": "3befe23e-92aa-4170-9cf9-3811301a65ac", "title": "Distribution of Email Events by Delivery Location [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Email Events", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:29:49.843Z", "id": "m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json index fce842b767d7..86e77bc3fb32 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json @@ -1,32 +1,9 @@ { "attributes": { "description": "Overview of Microsoft 365 Defender Incidents", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "m365_defender.incident" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "m365_defender.incident" - } - } - } - ], + "filter": [], "query": { "language": "kuery", "query": "" @@ -36,108 +13,183 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Count", - "field": "event.id" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "not (source.user.name : * )" + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-961a470c-6271-4d2f-b553-646b67834136", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "500b87e2-0cac-4347-b383-521421e3b4ad", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "961a470c-6271-4d2f-b553-646b67834136": { + "columnOrder": [ + "6bf7c6d1-08bd-4258-bddc-b6df02a448be", + "fee1e57d-1104-4aed-9686-37ba38f74f2e", + "fee1e57d-1104-4aed-9686-37ba38f74f2eX0", + "fee1e57d-1104-4aed-9686-37ba38f74f2eX1" + ], + "columns": { + "6bf7c6d1-08bd-4258-bddc-b6df02a448be": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "not (source.user.name : * )" + }, + "label": "Unassigned Incident" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.status : \"active\"" + }, + "label": "Active Incident" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.status : \"redirected\" " + }, + "label": "Redirected Incident" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.status : \"resolved\" " + }, + "label": "Resolved Incident" + } + ] + }, + "scale": "ordinal" }, - "label": "Unassigned Incident" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.status : \"active\"" + "fee1e57d-1104-4aed-9686-37ba38f74f2e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "formula", + "params": { + "formula": "defaults(unique_count(event.id), 0)", + "isFormulaBroken": false + }, + "references": [ + "fee1e57d-1104-4aed-9686-37ba38f74f2eX1" + ], + "scale": "ratio" }, - "label": "Active Incident" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.status : \"redirected\" " + "fee1e57d-1104-4aed-9686-37ba38f74f2eX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" }, - "label": "Redirected Incident" + "fee1e57d-1104-4aed-9686-37ba38f74f2eX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "fee1e57d-1104-4aed-9686-37ba38f74f2eX0", + 0 + ], + "location": { + "max": 35, + "min": 0 + }, + "name": "defaults", + "text": "defaults(unique_count(event.id), 0)", + "type": "function" + } + }, + "references": [ + "fee1e57d-1104-4aed-9686-37ba38f74f2eX0" + ], + "scale": "ratio" + } }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.status : \"resolved\" " - }, - "label": "Resolved Incident" - } - ] + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "500b87e2-0cac-4347-b383-521421e3b4ad", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" }, - "schema": "group", - "type": "filters" + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "type": "metric" + "visualization": { + "breakdownByAccessor": "6bf7c6d1-08bd-4258-bddc-b6df02a448be", + "color": "#6092C0", + "layerId": "961a470c-6271-4d2f-b553-646b67834136", + "layerType": "data", + "metricAccessor": "fee1e57d-1104-4aed-9686-37ba38f74f2e" + } }, - "title": "", - "type": "metric", - "uiState": {} - } + "title": "Incident Counts [Logs Microsoft 365 Defender] (converted)", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 10, @@ -148,8 +200,8 @@ }, "panelIndex": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e", "title": "Incident Counts [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -157,18 +209,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-a3705125-6c5c-43a6-a594-6d384c293ec9", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-a3705125-6c5c-43a6-a594-6d384c293ec9", + "name": "a77281bd-3237-4d8d-b908-18a4a562b070", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a3705125-6c5c-43a6-a594-6d384c293ec9": { "columnOrder": [ @@ -192,6 +245,7 @@ "label": "Timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -203,7 +257,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a77281bd-3237-4d8d-b908-18a4a562b070", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -224,6 +302,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -254,7 +333,7 @@ "panelIndex": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53", "title": "Count of Incidents Over Time [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -262,18 +341,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-19999c0c-be9d-43ba-994a-72fadb61fabc", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-19999c0c-be9d-43ba-994a-72fadb61fabc", + "name": "465f825b-af7a-4311-97e1-be1d9e4928db", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "19999c0c-be9d-43ba-994a-72fadb61fabc": { "columnOrder": [ @@ -315,7 +395,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "465f825b-af7a-4311-97e1-be1d9e4928db", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -324,15 +428,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "330afb86-6197-4204-b9d3-49fb9d878111" - ], "layerId": "19999c0c-be9d-43ba-994a-72fadb61fabc", "layerType": "data", "legendDisplay": "default", - "metric": "8e73def1-b551-4bc3-9676-6bfe825f308f", + "legendSize": "auto", + "metrics": [ + "8e73def1-b551-4bc3-9676-6bfe825f308f" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "330afb86-6197-4204-b9d3-49fb9d878111" + ] } ], "shape": "pie" @@ -355,7 +462,7 @@ "panelIndex": "09a42be0-f530-4662-a284-5ad7d3264935", "title": "Distribution of Incidents by Severity [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -363,18 +470,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-7f55a9ab-9515-4d17-844d-c925b2ccdbd1", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-7f55a9ab-9515-4d17-844d-c925b2ccdbd1", + "name": "644633f8-cafb-4bfd-8a03-4a1e7c1146e7", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7f55a9ab-9515-4d17-844d-c925b2ccdbd1": { "columnOrder": [ @@ -436,7 +544,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "644633f8-cafb-4bfd-8a03-4a1e7c1146e7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -455,7 +587,9 @@ } ], "layerId": "7f55a9ab-9515-4d17-844d-c925b2ccdbd1", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -475,7 +609,7 @@ "panelIndex": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789", "title": "Incident with Highest Count of Alerts [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -483,18 +617,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-f41e1d1a-0dc1-4416-b48b-a04c4e59d46c", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-f41e1d1a-0dc1-4416-b48b-a04c4e59d46c", + "name": "b5cb2c9c-2731-4f8b-8001-4c674d131b67", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f41e1d1a-0dc1-4416-b48b-a04c4e59d46c": { "columnOrder": [ @@ -510,6 +645,7 @@ "label": "Timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -549,7 +685,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b5cb2c9c-2731-4f8b-8001-4c674d131b67", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -571,6 +731,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -601,7 +762,7 @@ "panelIndex": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b", "title": "Severity Over Time [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -617,32 +778,28 @@ "panelIndex": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "panelRefName": "panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "type": "search", - "version": "7.16.0" + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Incident", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:58:53.650Z", "id": "m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:indexpattern-datasource-layer-961a470c-6271-4d2f-b553-646b67834136", "type": "index-pattern" }, { "id": "logs-*", - "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:indexpattern-datasource-current-indexpattern", + "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:500b87e2-0cac-4347-b383-521421e3b4ad", "type": "index-pattern" }, { @@ -652,7 +809,7 @@ }, { "id": "logs-*", - "name": "09a42be0-f530-4662-a284-5ad7d3264935:indexpattern-datasource-current-indexpattern", + "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:a77281bd-3237-4d8d-b908-18a4a562b070", "type": "index-pattern" }, { @@ -662,7 +819,7 @@ }, { "id": "logs-*", - "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:indexpattern-datasource-current-indexpattern", + "name": "09a42be0-f530-4662-a284-5ad7d3264935:465f825b-af7a-4311-97e1-be1d9e4928db", "type": "index-pattern" }, { @@ -672,7 +829,7 @@ }, { "id": "logs-*", - "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:indexpattern-datasource-current-indexpattern", + "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:644633f8-cafb-4bfd-8a03-4a1e7c1146e7", "type": "index-pattern" }, { @@ -680,6 +837,11 @@ "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:indexpattern-datasource-layer-f41e1d1a-0dc1-4416-b48b-a04c4e59d46c", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:b5cb2c9c-2731-4f8b-8001-4c674d131b67", + "type": "index-pattern" + }, { "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", "name": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0:panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json index 996fd69795a7..b5ad561fc4de 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Overview of Microsoft 365 Defender Device Events.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -118,6 +117,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": true, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -158,7 +159,7 @@ "panelIndex": "362bfb2d-9787-42ec-bc32-5c7c72d43e4f", "title": "Dashboards [Logs Microsoft 365 Defender]", "type": "visualization", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -177,7 +178,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "06ee28b9-429b-42e8-a83b-3a3f4eb16745": { "columnOrder": [ @@ -207,12 +208,15 @@ "visualization": { "accessor": "c26f4a59-33a0-48c9-8a07-9031a1053d36", "layerId": "06ee28b9-429b-42e8-a83b-3a3f4eb16745", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -227,7 +231,7 @@ "panelIndex": "eef7f556-05f9-4b08-bc1a-f87957c5919d", "title": "Count of Devices [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -246,7 +250,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "57bf0095-31d3-4abc-8a39-37efbc0a3efd": { "columnOrder": [ @@ -276,12 +280,15 @@ "visualization": { "accessor": "ac137775-8aaa-4467-ae67-7c47df5651f6", "layerId": "57bf0095-31d3-4abc-8a39-37efbc0a3efd", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -296,7 +303,7 @@ "panelIndex": "6896510c-66c5-47b7-ae3f-d0521dd24ea3", "title": "Count of Account Domain [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -315,7 +322,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "dca2664e-3694-4056-8386-1b651bbb7e3b": { "columnOrder": [ @@ -333,7 +340,7 @@ "label": "Devices with Signed and Trusted Certificates", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -349,12 +356,15 @@ "visualization": { "accessor": "5c35b47f-ce23-4f14-aa83-3925d5a38bf1", "layerId": "dca2664e-3694-4056-8386-1b651bbb7e3b", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": true @@ -369,17 +379,12 @@ "panelIndex": "1797b9be-a8f4-4857-9660-be64394b90b3", "title": "Count of Device having Signed and Trusted Certificate [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { "attributes": { "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "indexpattern-datasource-layer-0efca441-e712-4d30-a594-d35d6d172c88", @@ -387,8 +392,9 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0efca441-e712-4d30-a594-d35d6d172c88": { "columnOrder": [ @@ -422,7 +428,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -431,6 +437,7 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -467,6 +474,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -501,106 +509,152 @@ "panelIndex": "0364cf09-1da8-459d-9267-db9ccab7b6b4", "title": "Distribution of Device Events by Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Certificates" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "m365_defender.event.is_signed : true" + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-01f3b09f-11e5-449f-806d-ecad785b372c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "01f3b09f-11e5-449f-806d-ecad785b372c": { + "columnOrder": [ + "9db63172-577f-4f0a-96c9-988784409afc", + "464d6c87-402c-49f2-bb00-201fc8ab9abe", + "464d6c87-402c-49f2-bb00-201fc8ab9abeX0", + "464d6c87-402c-49f2-bb00-201fc8ab9abeX1" + ], + "columns": { + "464d6c87-402c-49f2-bb00-201fc8ab9abe": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Certificates", + "operationType": "formula", + "params": { + "formula": "defaults(count(), 0)", + "isFormulaBroken": false + }, + "references": [ + "464d6c87-402c-49f2-bb00-201fc8ab9abeX1" + ], + "scale": "ratio" }, - "label": "Signed" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.is_signed: false" + "464d6c87-402c-49f2-bb00-201fc8ab9abeX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Certificates", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" }, - "label": "Unsigned" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.is_trusted : true" + "464d6c87-402c-49f2-bb00-201fc8ab9abeX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Certificates", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "464d6c87-402c-49f2-bb00-201fc8ab9abeX0", + 0 + ], + "location": { + "max": 20, + "min": 0 + }, + "name": "defaults", + "text": "defaults(count(), 0)", + "type": "function" + } + }, + "references": [ + "464d6c87-402c-49f2-bb00-201fc8ab9abeX0" + ], + "scale": "ratio" }, - "label": "Trusted" + "9db63172-577f-4f0a-96c9-988784409afc": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "m365_defender.event.is_signed : true" + }, + "label": "Signed" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.is_signed: false" + }, + "label": "Unsigned" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.is_trusted : true" + }, + "label": "Trusted" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.event.is_trusted : false" + }, + "label": "Untrusted" + } + ] + }, + "scale": "ordinal" + } }, - { - "input": { - "language": "kuery", - "query": "m365_defender.event.is_trusted : false" - }, - "label": "Untrusted" - } - ] - }, - "schema": "group", - "type": "filters" - } - ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 + "incompleteColumns": {} + } } - ], - "invertColors": false, - "labels": { - "show": true }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false + "textBased": { + "layers": {} + } }, - "type": "metric" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "9db63172-577f-4f0a-96c9-988784409afc", + "color": "#6092C0", + "layerId": "01f3b09f-11e5-449f-806d-ecad785b372c", + "layerType": "data", + "metricAccessor": "464d6c87-402c-49f2-bb00-201fc8ab9abe" + } }, - "title": "", - "type": "metric", - "uiState": {} - } + "title": "Metric visualization (converted)", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, "gridData": { "h": 9, @@ -610,9 +664,8 @@ "y": 13 }, "panelIndex": "80e0a931-5bd5-47eb-9f59-35020d52d6dd", - "title": "Device Certificate Information [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -631,7 +684,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b65faae4-3ea7-44ce-8c73-3400dc2a953d": { "columnOrder": [ @@ -647,7 +700,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "094552d3-7ec0-4d65-ab8b-bd6fe38af648": { "customLabel": true, @@ -731,6 +784,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -765,7 +819,7 @@ "panelIndex": "892e0c11-6847-4be0-8c53-9256d5bed8ae", "title": "Distribution of Device Type by Device Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -784,7 +838,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "33420593-65e7-42ea-a730-38fd3565b83b": { "columnOrder": [ @@ -798,7 +852,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "e27ef4a8-7d46-449c-bd7a-7757d9774251": { "customLabel": true, @@ -834,15 +888,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "e27ef4a8-7d46-449c-bd7a-7757d9774251" - ], "layerId": "33420593-65e7-42ea-a730-38fd3565b83b", "layerType": "data", "legendDisplay": "default", - "metric": "725f0f83-71da-4630-ac05-930b2d558624", + "legendSize": "auto", + "metrics": [ + "725f0f83-71da-4630-ac05-930b2d558624" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "e27ef4a8-7d46-449c-bd7a-7757d9774251" + ] } ], "shape": "pie" @@ -865,7 +922,7 @@ "panelIndex": "a70a967c-289d-4d84-8ac4-1dbb1959bbd8", "title": "Distribution of Device by Device Onboarding Status [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -884,7 +941,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f76bb73e-d4b6-4fa1-9329-2e9942dd9eb4": { "columnOrder": [ @@ -918,7 +975,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -935,15 +992,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "848b4914-cfa6-41d7-9d50-bef5904481db" - ], "layerId": "f76bb73e-d4b6-4fa1-9329-2e9942dd9eb4", "layerType": "data", "legendDisplay": "default", - "metric": "85e428bc-ca74-4660-87e5-c1d916524038", + "legendSize": "auto", + "metrics": [ + "85e428bc-ca74-4660-87e5-c1d916524038" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "848b4914-cfa6-41d7-9d50-bef5904481db" + ] } ], "shape": "pie" @@ -966,7 +1026,7 @@ "panelIndex": "3a2f0c3d-bd6d-44e4-b6c3-25d7f55dd608", "title": "Distribution of Device by Device Logon Type [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -985,7 +1045,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d355aad4-5b79-4044-bbec-66923b1a8c84": { "columnOrder": [ @@ -1000,7 +1060,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "9f35467e-45dc-4aba-a6e1-99f1f88a02c9": { "customLabel": true, @@ -1062,6 +1122,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar", @@ -1096,7 +1157,7 @@ "panelIndex": "f048ae61-3e8e-41e4-b15d-c6fa3c261b54", "title": "Distribution of Device Events by Protocol [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1115,7 +1176,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8a8196f6-a696-4337-9a13-bbf9f8c796d5": { "columnOrder": [ @@ -1130,7 +1191,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "0cbc25e1-515c-4691-bca0-2fcf599c4744": { "customLabel": true, @@ -1166,15 +1227,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "0cbc25e1-515c-4691-bca0-2fcf599c4744" - ], "layerId": "8a8196f6-a696-4337-9a13-bbf9f8c796d5", "layerType": "data", "legendDisplay": "default", - "metric": "04877ea1-36c6-49ea-8150-dc864c4f1041", + "legendSize": "auto", + "metrics": [ + "04877ea1-36c6-49ea-8150-dc864c4f1041" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "0cbc25e1-515c-4691-bca0-2fcf599c4744" + ] } ], "shape": "pie" @@ -1197,7 +1261,7 @@ "panelIndex": "a9117849-31e0-4fb5-8750-3545eb3cb61c", "title": "Distribution of Device Events by OS Platform [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1216,7 +1280,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "75887628-a5d8-46fc-83f2-7f2341d66647": { "columnOrder": [ @@ -1231,7 +1295,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "7c9827d1-c527-4553-a520-eeda632e2ebb": { "customLabel": true, @@ -1275,7 +1339,9 @@ } ], "layerId": "75887628-a5d8-46fc-83f2-7f2341d66647", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1295,7 +1361,7 @@ "panelIndex": "8dead8f3-eb81-4f31-80f3-6f839fd1e949", "title": "Top 10 Failure Reason for Action Failed [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1314,7 +1380,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "673b5af9-08a7-4b42-83e5-627b2f1bfa6e": { "columnOrder": [ @@ -1329,7 +1395,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "72c3d801-754e-4172-9bc6-10f51ab34110": { "customLabel": true, @@ -1373,7 +1439,9 @@ } ], "layerId": "673b5af9-08a7-4b42-83e5-627b2f1bfa6e", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1393,7 +1461,7 @@ "panelIndex": "9c2c457e-9421-42e0-a162-011ea5beea7e", "title": "Top 10 Certificate Issuer [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1412,7 +1480,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f856b131-6bff-4ade-a5da-89160a4205df": { "columnOrder": [ @@ -1446,7 +1514,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1470,7 +1538,9 @@ } ], "layerId": "f856b131-6bff-4ade-a5da-89160a4205df", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1490,7 +1560,7 @@ "panelIndex": "76577de8-c97b-440e-85d8-8958a6cf032c", "title": "Top 10 Action Type that Triggered the Device Events [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1506,17 +1576,18 @@ "panelIndex": "74765bd4-91fc-4fc6-940b-86d66ba812ef", "panelRefName": "panel_74765bd4-91fc-4fc6-940b-86d66ba812ef", "type": "search", - "version": "7.16.0" + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Device Events", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:52:44.695Z", "id": "m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { @@ -1559,11 +1630,6 @@ "name": "1797b9be-a8f4-4857-9660-be64394b90b3:indexpattern-datasource-layer-dca2664e-3694-4056-8386-1b651bbb7e3b", "type": "index-pattern" }, - { - "id": "logs-*", - "name": "0364cf09-1da8-459d-9267-db9ccab7b6b4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, { "id": "logs-*", "name": "0364cf09-1da8-459d-9267-db9ccab7b6b4:indexpattern-datasource-layer-0efca441-e712-4d30-a594-d35d6d172c88", @@ -1571,7 +1637,7 @@ }, { "id": "logs-*", - "name": "80e0a931-5bd5-47eb-9f59-35020d52d6dd:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "80e0a931-5bd5-47eb-9f59-35020d52d6dd:indexpattern-datasource-layer-01f3b09f-11e5-449f-806d-ecad785b372c", "type": "index-pattern" }, { diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json index 944436442212..b120991a8df7 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json @@ -110,7 +110,8 @@ "title": "", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, "gridData": { "h": 2, @@ -122,7 +123,7 @@ "panelIndex": "72ad93b2-bd38-4e32-86a5-fe3f7db541d4", "title": "Dashboards [Logs Microsoft 365 Defender]", "type": "visualization", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -141,7 +142,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e1d8f890-72ee-4e71-9f40-cafe67580296": { "columnOrder": [ @@ -175,7 +176,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -192,15 +193,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "5c2d3a33-e5cc-49f1-a4dc-6e651dcacc25" - ], "layerId": "e1d8f890-72ee-4e71-9f40-cafe67580296", "layerType": "data", "legendDisplay": "default", - "metric": "d7e0e9f5-9595-4dcd-b522-70d2fdd3a784", + "legendSize": "auto", + "metrics": [ + "d7e0e9f5-9595-4dcd-b522-70d2fdd3a784" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "5c2d3a33-e5cc-49f1-a4dc-6e651dcacc25" + ] } ], "shape": "pie" @@ -211,7 +215,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -223,7 +228,7 @@ "panelIndex": "883f9d41-b2dc-43f5-a880-55af54651f72", "title": "Distribution of App and Identity Events by Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -242,7 +247,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8bb7301a-d5ca-4fff-9c62-1ac0b991077a": { "columnOrder": [ @@ -272,15 +277,19 @@ "visualization": { "accessor": "5c22db1a-d4a0-47b3-a33a-56a0f8b16b62", "layerId": "8bb7301a-d5ca-4fff-9c62-1ac0b991077a", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": true + "hidePanelTitles": true, + "type": "lens" }, "gridData": { "h": 15, @@ -292,7 +301,7 @@ "panelIndex": "b2f500b5-ac94-44b7-94e4-7321d9219bde", "title": "Count of Devices [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -311,7 +320,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "099c9a83-029a-4f52-ab14-9ecf0aed4302": { "columnOrder": [ @@ -345,7 +354,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -374,6 +383,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -392,7 +402,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -404,7 +415,7 @@ "panelIndex": "9026565f-e4e4-4648-88a0-b69e8fa1f190", "title": "Distribution of App and Identity Events by OS Platform [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -423,7 +434,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "344214e3-0de7-420e-ad4b-79e3fd4a1cca": { "columnOrder": [ @@ -438,7 +449,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "c8580074-e80b-47b3-b225-a4abdcf8d19d": { "customLabel": true, @@ -474,15 +485,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "c8580074-e80b-47b3-b225-a4abdcf8d19d" - ], "layerId": "344214e3-0de7-420e-ad4b-79e3fd4a1cca", "layerType": "data", "legendDisplay": "default", - "metric": "57d0feb5-b53e-4f1e-9377-68f44665e71d", + "legendSize": "auto", + "metrics": [ + "57d0feb5-b53e-4f1e-9377-68f44665e71d" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "c8580074-e80b-47b3-b225-a4abdcf8d19d" + ] } ], "shape": "pie" @@ -493,7 +507,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -505,7 +520,7 @@ "panelIndex": "af17ce71-1d52-4e54-bbd8-17fba8f77f41", "title": "Distribution of App and Identity Events by Device Type [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -524,7 +539,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "295c44b3-b261-4ddf-ac06-517e9516b678": { "columnOrder": [ @@ -558,7 +573,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -582,7 +597,9 @@ } ], "layerId": "295c44b3-b261-4ddf-ac06-517e9516b678", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -590,7 +607,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -602,7 +620,7 @@ "panelIndex": "4e8ac33a-12e8-4f6f-8d7d-1fc25589bc99", "title": "Top 10 Failure Reason for Action Failed [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -621,7 +639,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "255c9986-ae8d-47fa-835b-8d1b02821f3e": { "columnOrder": [ @@ -655,7 +673,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -672,15 +690,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "18a3b590-64d4-4aca-b00c-5968dcb84d6f" - ], "layerId": "255c9986-ae8d-47fa-835b-8d1b02821f3e", "layerType": "data", "legendDisplay": "default", - "metric": "c89ecd4a-324c-4887-b24c-0ec762958d41", + "legendSize": "auto", + "metrics": [ + "c89ecd4a-324c-4887-b24c-0ec762958d41" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "18a3b590-64d4-4aca-b00c-5968dcb84d6f" + ] } ], "shape": "pie" @@ -691,7 +712,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -703,7 +725,7 @@ "panelIndex": "9a94aefa-34e6-47ea-baea-c73de0c92d1d", "title": "Distribution of App and Identity Events by Application [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -722,7 +744,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b711b414-d1c9-4400-bf28-a3b4a5f317f4": { "columnOrder": [ @@ -737,7 +759,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "778b4031-c79b-430a-9cae-928e2328bcce": { "customLabel": true, @@ -773,15 +795,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "778b4031-c79b-430a-9cae-928e2328bcce" - ], "layerId": "b711b414-d1c9-4400-bf28-a3b4a5f317f4", "layerType": "data", "legendDisplay": "default", - "metric": "4089693d-f337-4d10-9f77-acf0c4460024", + "legendSize": "auto", + "metrics": [ + "4089693d-f337-4d10-9f77-acf0c4460024" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "778b4031-c79b-430a-9cae-928e2328bcce" + ] } ], "shape": "pie" @@ -792,7 +817,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -804,7 +830,7 @@ "panelIndex": "0a57d124-a25c-4e66-9cf3-c29f6e7734b5", "title": "Distribution of Identity Events by Logon Type [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" }, { "embeddableConfig": { @@ -823,7 +849,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8d6ae427-4608-445d-945a-fff8b3957c40": { "columnOrder": [ @@ -857,7 +883,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -881,7 +907,9 @@ } ], "layerId": "8d6ae427-4608-445d-945a-fff8b3957c40", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -889,7 +917,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -901,17 +930,18 @@ "panelIndex": "2d53c4f6-39e7-456a-ad38-c0a28349854a", "title": "Top 10 Action Type that Triggered the Identity Events [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.0" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] App \u0026 Identity Events", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:29:49.843Z", "id": "m365_defender-d587df00-745f-11ed-8657-c59f6ece834c", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json index 06e970e5f86d..643756754e8b 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json @@ -1,32 +1,15 @@ { "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\",\"fieldName\":\"event.provider\",\"title\":\"Service Source\",\"enhancements\":{}}}}" + }, "description": "Overview of Microsoft 365 Defender Alerts", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "m365_defender.incident" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "m365_defender.incident" - } - } - } - ], + "filter": [], "query": { "language": "kuery", "query": "" @@ -36,190 +19,208 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7a32ab10-8307-4b8c-bc58-a497f1e460dd", + "type": "index-pattern" } - }, - "description": "", - "id": "", - "params": { - "controls": [ - { - "fieldName": "event.provider", - "id": "1664862844575", - "indexPatternRefName": "control_9aa74a70-d9fb-4b5b-ba40-e5105e344dee_0_index_pattern", - "label": "Service Source", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - } - ], - "pinFilters": false, - "updateFiltersOnChange": false, - "useTimeFilter": false - }, - "title": "", - "type": "input_control_vis", - "uiState": {} - } - }, - "gridData": { - "h": 10, - "i": "9aa74a70-d9fb-4b5b-ba40-e5105e344dee", - "w": 14, - "x": 0, - "y": 0 - }, - "panelIndex": "9aa74a70-d9fb-4b5b-ba40-e5105e344dee", - "title": "Service Source Filter [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Count", - "field": "m365_defender.incident.alert.id" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Total Alerts" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.alert.status : \"new\" " - }, - "label": "New Alerts" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.alert.status : \"inProgress\" " + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6ddc53cd-2bbd-4616-837b-3fbe0712ca7e": { + "columnOrder": [ + "330da6b3-a0e3-41b9-8103-69b3381f1788", + "6400adfe-4702-4f13-923f-f94d87aa0ced", + "6400adfe-4702-4f13-923f-f94d87aa0cedX0", + "6400adfe-4702-4f13-923f-f94d87aa0cedX1" + ], + "columns": { + "330da6b3-a0e3-41b9-8103-69b3381f1788": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Total Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"new\" " + }, + "label": "New Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"inProgress\" " + }, + "label": "InProgress Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"resolved\" " + }, + "label": "Resolved Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.severity : \"high\"" + }, + "label": "High Severity Alerts" + }, + { + "input": { + "language": "kuery", + "query": "not (m365_defender.incident.alert.assigned_to : * )" + }, + "label": "Unassigned Alerts" + } + ] + }, + "scale": "ordinal" }, - "label": "InProgress Alerts" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.alert.status : \"resolved\" " + "6400adfe-4702-4f13-923f-f94d87aa0ced": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "formula", + "params": { + "formula": "defaults(unique_count(m365_defender.incident.alert.id), 0)", + "isFormulaBroken": false + }, + "references": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX1" + ], + "scale": "ratio" }, - "label": "Resolved Alerts" - }, - { - "input": { - "language": "kuery", - "query": "m365_defender.incident.alert.severity : \"high\"" + "6400adfe-4702-4f13-923f-f94d87aa0cedX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" }, - "label": "High Severity Alerts" + "6400adfe-4702-4f13-923f-f94d87aa0cedX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX0", + 0 + ], + "location": { + "max": 58, + "min": 0 + }, + "name": "defaults", + "text": "defaults(unique_count(m365_defender.incident.alert.id), 0)", + "type": "function" + } + }, + "references": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX0" + ], + "scale": "ratio" + } }, - { - "input": { - "language": "kuery", - "query": "not (m365_defender.incident.alert.assigned_to : * )" - }, - "label": "Unassigned Alerts" - } - ] + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" }, - "schema": "group", - "type": "filters" + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7a32ab10-8307-4b8c-bc58-a497f1e460dd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "type": "metric" + "visualization": { + "breakdownByAccessor": "330da6b3-a0e3-41b9-8103-69b3381f1788", + "layerId": "6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", + "layerType": "data", + "metricAccessor": "6400adfe-4702-4f13-923f-f94d87aa0ced" + } }, - "title": "", - "type": "metric", - "uiState": {} - } + "title": "Alert Counts [Logs Microsoft 365 Defender] (converted)", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 10, "i": "8ed4553a-d396-4ad7-b247-10e005d65086", - "w": 34, - "x": 14, + "w": 48, + "x": 0, "y": 0 }, "panelIndex": "8ed4553a-d396-4ad7-b247-10e005d65086", "title": "Alert Counts [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -227,18 +228,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-874da7c4-ebe5-4c5c-a302-094d287b81bb", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-874da7c4-ebe5-4c5c-a302-094d287b81bb", + "name": "ae7d8340-da3d-4c18-8cfb-07c6e50d1f50", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "874da7c4-ebe5-4c5c-a302-094d287b81bb": { "columnOrder": [ @@ -280,7 +282,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ae7d8340-da3d-4c18-8cfb-07c6e50d1f50", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -289,15 +315,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "91075489-5815-4881-af42-d6e31205b1c5" - ], "layerId": "874da7c4-ebe5-4c5c-a302-094d287b81bb", "layerType": "data", "legendDisplay": "default", - "metric": "2d7b439a-58f9-400c-b89a-c5ef01f6d82b", + "legendSize": "auto", + "metrics": [ + "2d7b439a-58f9-400c-b89a-c5ef01f6d82b" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "91075489-5815-4881-af42-d6e31205b1c5" + ] } ], "shape": "pie" @@ -320,7 +349,7 @@ "panelIndex": "00c0b388-64b8-49c8-9ccb-de8e58030b4d", "title": "Distribution of Alerts by Severity [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -328,18 +357,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d", + "name": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d": { "columnOrder": [ @@ -363,6 +393,7 @@ "label": "Timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -374,7 +405,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -395,6 +450,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -425,7 +481,7 @@ "panelIndex": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613", "title": "Count of Alerts Over Time [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -433,18 +489,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-2fa8c035-1708-4d32-88fc-b59af7751db4", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-2fa8c035-1708-4d32-88fc-b59af7751db4", + "name": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2fa8c035-1708-4d32-88fc-b59af7751db4": { "columnOrder": [ @@ -486,7 +543,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -507,6 +588,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -537,7 +619,7 @@ "panelIndex": "8e4019a0-6594-4eaf-9358-c343b72aba84", "title": "Distribution of Alerts by Category [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -545,18 +627,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-24cc5824-23e2-462f-b38f-4769ea95322a", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-24cc5824-23e2-462f-b38f-4769ea95322a", + "name": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "24cc5824-23e2-462f-b38f-4769ea95322a": { "columnOrder": [ @@ -598,7 +681,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -615,7 +722,9 @@ } ], "layerId": "24cc5824-23e2-462f-b38f-4769ea95322a", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -635,7 +744,7 @@ "panelIndex": "51f47e38-eed6-42b3-8096-a39b914909da", "title": "Top 10 Detection Source that identified most of the Alerts [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -643,18 +752,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-45d80486-c9c8-4d28-bbcd-5d29072c9cb9", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-45d80486-c9c8-4d28-bbcd-5d29072c9cb9", + "name": "57b64179-81e7-4d61-b50b-23d21323b9da", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "45d80486-c9c8-4d28-bbcd-5d29072c9cb9": { "columnOrder": [ @@ -696,7 +806,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "57b64179-81e7-4d61-b50b-23d21323b9da", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -731,6 +865,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -765,7 +900,7 @@ "panelIndex": "1f836fdc-61f4-4cf4-a392-50276a2b77f1", "title": "Distribution of Alerts by Determination [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -773,18 +908,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-32a410b6-1ed8-4397-ab2e-151edec25e80", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-32a410b6-1ed8-4397-ab2e-151edec25e80", + "name": "dbc8860d-394c-46cb-a626-67a20c1862c8", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "32a410b6-1ed8-4397-ab2e-151edec25e80": { "columnOrder": [ @@ -828,6 +964,7 @@ "label": "Timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -839,7 +976,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dbc8860d-394c-46cb-a626-67a20c1862c8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -877,6 +1038,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -911,81 +1073,7 @@ "panelIndex": "efd3aa63-5879-4383-87e4-6276e38b3c01", "title": "Severity Over Time [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Count", - "field": "m365_defender.incident.alert.id" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Mitre Techniques", - "field": "threat.technique.subtechnique.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "asc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "default", - "type": "palette" - }, - "scale": "linear", - "showLabel": true - }, - "title": "", - "type": "tagcloud", - "uiState": {} - } - }, - "gridData": { - "h": 25, - "i": "01078074-2eca-4980-b815-9db6afd521a8", - "w": 48, - "x": 0, - "y": 55 - }, - "panelIndex": "01078074-2eca-4980-b815-9db6afd521a8", - "title": "Top Mitre Techniques [Logs Microsoft 365 Defender]", - "type": "visualization", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -993,18 +1081,19 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", + "name": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "bdba4af5-1396-46ec-ad04-59157e7697f9": { "columnOrder": [ @@ -1046,7 +1135,31 @@ } } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1067,6 +1180,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1092,12 +1206,12 @@ "i": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae", "w": 24, "x": 0, - "y": 80 + "y": 55 }, "panelIndex": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae", "title": "Distribution of Alerts by Service Source [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1105,23 +1219,24 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", + "name": "742836c8-3532-4e18-b067-26e3af1b0e3b", "type": "index-pattern" }, { "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "438f3787-c321-45a5-9cca-89571591b016", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a0e68595-3ccc-4ff9-90fb-8087bc439020": { "columnOrder": [ @@ -1171,14 +1286,18 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "742836c8-3532-4e18-b067-26e3af1b0e3b", "key": "m365_defender.incident.alert.evidence.verdict", "negate": false, "params": [ "malicious", "suspicious" ], - "type": "phrases" + "type": "phrases", + "value": [ + "malicious", + "suspicious" + ] }, "query": { "bool": { @@ -1197,8 +1316,31 @@ ] } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "438f3787-c321-45a5-9cca-89571591b016", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1215,7 +1357,9 @@ } ], "layerId": "a0e68595-3ccc-4ff9-90fb-8087bc439020", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1230,12 +1374,12 @@ "i": "6847c21e-2ec0-4af4-aa67-ec52b181b05e", "w": 24, "x": 24, - "y": 80 + "y": 55 }, "panelIndex": "6847c21e-2ec0-4af4-aa67-ec52b181b05e", "title": "Top 10 Email Sender IP with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1243,9 +1387,146 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-5b675bca-2096-430a-ac1e-6a435a5c3e34", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5b675bca-2096-430a-ac1e-6a435a5c3e34": { + "columnOrder": [ + "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74", + "f37bb823-c831-497e-8d7e-8c00acbc11ff" + ], + "columns": { + "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mitre Technique", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f37bb823-c831-497e-8d7e-8c00acbc11ff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.subtechnique.id" + }, + "f37bb823-c831-497e-8d7e-8c00acbc11ff": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "f37bb823-c831-497e-8d7e-8c00acbc11ff", + "isTransposed": false + }, + { + "columnId": "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74", + "isTransposed": false + } + ], + "layerId": "5b675bca-2096-430a-ac1e-6a435a5c3e34", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "7317b469-4895-497a-a263-14b58eaec52f", + "w": 48, + "x": 0, + "y": 70 + }, + "panelIndex": "7317b469-4895-497a-a263-14b58eaec52f", + "title": "Top Mitre Techniques [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ { "id": "logs-*", "name": "indexpattern-datasource-layer-3f509783-a68e-46a5-a9ea-6c51a0bcf036", @@ -1253,13 +1534,19 @@ }, { "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "eaea7ed4-6b0d-4522-8e92-34b831024614", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "3f509783-a68e-46a5-a9ea-6c51a0bcf036": { "columnOrder": [ @@ -1309,14 +1596,18 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "eaea7ed4-6b0d-4522-8e92-34b831024614", "key": "m365_defender.incident.alert.evidence.verdict", "negate": false, "params": [ "malicious", "suspicious" ], - "type": "phrases" + "type": "phrases", + "value": [ + "malicious", + "suspicious" + ] }, "query": { "bool": { @@ -1335,8 +1626,31 @@ ] } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1353,7 +1667,9 @@ } ], "layerId": "3f509783-a68e-46a5-a9ea-6c51a0bcf036", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1368,12 +1684,12 @@ "i": "34673480-15c2-4f75-ae86-637bc6875e78", "w": 24, "x": 0, - "y": 95 + "y": 84 }, "panelIndex": "34673480-15c2-4f75-ae86-637bc6875e78", "title": "Top 10 Process Commands with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1381,23 +1697,24 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", + "name": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", "type": "index-pattern" }, { "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "108199c0-a675-4fe1-87a9-4599aa85db91", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "bf6ca0e6-4c26-4cff-b35c-a1a578a38d20": { "columnOrder": [ @@ -1447,7 +1764,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", "key": "m365_defender.incident.alert.evidence.roles", "negate": false, "params": { @@ -1460,8 +1777,31 @@ "m365_defender.incident.alert.evidence.roles": "compromised" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "108199c0-a675-4fe1-87a9-4599aa85db91", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1478,7 +1818,9 @@ } ], "layerId": "bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1493,12 +1835,12 @@ "i": "d8b78c44-5d93-4a70-9d3d-0386581082d1", "w": 24, "x": 24, - "y": 95 + "y": 84 }, "panelIndex": "d8b78c44-5d93-4a70-9d3d-0386581082d1", "title": "Top 10 User Account with Compromised Role [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1506,23 +1848,24 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", + "name": "indexpattern-datasource-layer-6e6323ee-5d54-4720-85b5-f567b8ef9d21", "type": "index-pattern" }, { "id": "logs-*", - "name": "indexpattern-datasource-layer-6e6323ee-5d54-4720-85b5-f567b8ef9d21", + "name": "dd37b426-93bd-4376-8f4d-831cfa0673d8", "type": "index-pattern" }, { "id": "logs-*", - "name": "filter-index-pattern-0", + "name": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", "type": "index-pattern" } ], "state": { + "adHocDataViews": {}, "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6e6323ee-5d54-4720-85b5-f567b8ef9d21": { "columnOrder": [ @@ -1572,7 +1915,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "dd37b426-93bd-4376-8f4d-831cfa0673d8", "key": "m365_defender.incident.alert.evidence.roles", "negate": false, "params": { @@ -1585,8 +1928,31 @@ "m365_defender.incident.alert.evidence.roles": "attacked" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } } ], + "internalReferences": [], "query": { "language": "kuery", "query": "" @@ -1603,7 +1969,9 @@ } ], "layerId": "6e6323ee-5d54-4720-85b5-f567b8ef9d21", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -1618,12 +1986,12 @@ "i": "664a1613-6c7e-40cd-91b2-43ce6c451ddb", "w": 48, "x": 0, - "y": 110 + "y": 99 }, "panelIndex": "664a1613-6c7e-40cd-91b2-43ce6c451ddb", "title": "Top 10 Most Attacked Device [Logs Microsoft 365 Defender]", "type": "lens", - "version": "7.16.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1634,42 +2002,33 @@ "i": "b83be89c-7f77-406b-9028-1cfb0eb67e8d", "w": 48, "x": 0, - "y": 128 + "y": 117 }, "panelIndex": "b83be89c-7f77-406b-9028-1cfb0eb67e8d", "panelRefName": "panel_b83be89c-7f77-406b-9028-1cfb0eb67e8d", "type": "search", - "version": "7.16.0" + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Alert", "version": 1 }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:43:04.722Z", "id": "m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03", "migrationVersion": { - "dashboard": "7.16.0" + "dashboard": "8.7.0" }, "references": [ { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9aa74a70-d9fb-4b5b-ba40-e5105e344dee:control_9aa74a70-d9fb-4b5b-ba40-e5105e344dee_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8ed4553a-d396-4ad7-b247-10e005d65086:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "8ed4553a-d396-4ad7-b247-10e005d65086:indexpattern-datasource-layer-6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", "type": "index-pattern" }, { "id": "logs-*", - "name": "00c0b388-64b8-49c8-9ccb-de8e58030b4d:indexpattern-datasource-current-indexpattern", + "name": "8ed4553a-d396-4ad7-b247-10e005d65086:7a32ab10-8307-4b8c-bc58-a497f1e460dd", "type": "index-pattern" }, { @@ -1679,7 +2038,7 @@ }, { "id": "logs-*", - "name": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613:indexpattern-datasource-current-indexpattern", + "name": "00c0b388-64b8-49c8-9ccb-de8e58030b4d:ae7d8340-da3d-4c18-8cfb-07c6e50d1f50", "type": "index-pattern" }, { @@ -1689,7 +2048,7 @@ }, { "id": "logs-*", - "name": "8e4019a0-6594-4eaf-9358-c343b72aba84:indexpattern-datasource-current-indexpattern", + "name": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613:be5d6d70-2d76-4b3c-bc34-c27a83b81991", "type": "index-pattern" }, { @@ -1699,7 +2058,7 @@ }, { "id": "logs-*", - "name": "51f47e38-eed6-42b3-8096-a39b914909da:indexpattern-datasource-current-indexpattern", + "name": "8e4019a0-6594-4eaf-9358-c343b72aba84:d7bb4468-3be1-458a-b9e0-bd84db7e308a", "type": "index-pattern" }, { @@ -1709,7 +2068,7 @@ }, { "id": "logs-*", - "name": "1f836fdc-61f4-4cf4-a392-50276a2b77f1:indexpattern-datasource-current-indexpattern", + "name": "51f47e38-eed6-42b3-8096-a39b914909da:7a5d204e-cb61-4c0d-8923-28afeb2927a2", "type": "index-pattern" }, { @@ -1719,7 +2078,7 @@ }, { "id": "logs-*", - "name": "efd3aa63-5879-4383-87e4-6276e38b3c01:indexpattern-datasource-current-indexpattern", + "name": "1f836fdc-61f4-4cf4-a392-50276a2b77f1:57b64179-81e7-4d61-b50b-23d21323b9da", "type": "index-pattern" }, { @@ -1729,37 +2088,42 @@ }, { "id": "logs-*", - "name": "01078074-2eca-4980-b815-9db6afd521a8:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "efd3aa63-5879-4383-87e4-6276e38b3c01:dbc8860d-394c-46cb-a626-67a20c1862c8", "type": "index-pattern" }, { "id": "logs-*", - "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:indexpattern-datasource-current-indexpattern", + "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", "type": "index-pattern" }, { "id": "logs-*", - "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", + "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", "type": "index-pattern" }, { "id": "logs-*", - "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:indexpattern-datasource-current-indexpattern", + "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", "type": "index-pattern" }, { "id": "logs-*", - "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", + "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:742836c8-3532-4e18-b067-26e3af1b0e3b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:438f3787-c321-45a5-9cca-89571591b016", "type": "index-pattern" }, { "id": "logs-*", - "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:filter-index-pattern-0", + "name": "7317b469-4895-497a-a263-14b58eaec52f:indexpattern-datasource-layer-5b675bca-2096-430a-ac1e-6a435a5c3e34", "type": "index-pattern" }, { "id": "logs-*", - "name": "34673480-15c2-4f75-ae86-637bc6875e78:indexpattern-datasource-current-indexpattern", + "name": "7317b469-4895-497a-a263-14b58eaec52f:75891f9a-3458-40d6-8d3c-63de61fb3f7d", "type": "index-pattern" }, { @@ -1769,12 +2133,12 @@ }, { "id": "logs-*", - "name": "34673480-15c2-4f75-ae86-637bc6875e78:filter-index-pattern-0", + "name": "34673480-15c2-4f75-ae86-637bc6875e78:eaea7ed4-6b0d-4522-8e92-34b831024614", "type": "index-pattern" }, { "id": "logs-*", - "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:indexpattern-datasource-current-indexpattern", + "name": "34673480-15c2-4f75-ae86-637bc6875e78:8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", "type": "index-pattern" }, { @@ -1784,12 +2148,12 @@ }, { "id": "logs-*", - "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:filter-index-pattern-0", + "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:bfd73a62-e6c5-4126-9065-f4b17a1e4680", "type": "index-pattern" }, { "id": "logs-*", - "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:indexpattern-datasource-current-indexpattern", + "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:108199c0-a675-4fe1-87a9-4599aa85db91", "type": "index-pattern" }, { @@ -1799,13 +2163,23 @@ }, { "id": "logs-*", - "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:filter-index-pattern-0", + "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:dd37b426-93bd-4376-8f4d-831cfa0673d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:5bd954c2-632c-40c9-a72f-47d8ed59a63b", "type": "index-pattern" }, { "id": "m365_defender-989afc60-44a5-11ed-8375-0168a9970c06", "name": "b83be89c-7f77-406b-9028-1cfb0eb67e8d:panel_b83be89c-7f77-406b-9028-1cfb0eb67e8d", "type": "search" + }, + { + "id": "logs-*", + "name": "controlGroup_5779a7c6-acf5-4f7d-ac4c-caae9517d95e:optionsListDataView", + "type": "index-pattern" } ], "type": "dashboard" diff --git a/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json index 7f034a5eeaf8..3eb104a8cf06 100644 --- a/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json @@ -52,10 +52,11 @@ ], "title": "DeviceInfo Events Essential Details [Logs Microsoft 365 Defender]" }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:29:49.843Z", "id": "m365_defender-64a31410-722c-11ed-8657-c59f6ece834c", "migrationVersion": { - "search": "7.9.3" + "search": "8.0.0" }, "references": [ { diff --git a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json index 4dd53c5d1082..29f6172b48b2 100644 --- a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json @@ -51,10 +51,11 @@ ], "title": "Alerts Essential Details [Logs Microsoft 365 Defender]" }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:29:49.843Z", "id": "m365_defender-989afc60-44a5-11ed-8375-0168a9970c06", "migrationVersion": { - "search": "7.9.3" + "search": "8.0.0" }, "references": [ { diff --git a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json index e0663bcc9c5e..62daf464fb0e 100644 --- a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json @@ -51,10 +51,11 @@ ], "title": "Incidents Essential Details [Logs Microsoft 365 Defender]" }, - "coreMigrationVersion": "7.16.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-10T15:29:49.843Z", "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", "migrationVersion": { - "search": "7.9.3" + "search": "8.0.0" }, "references": [ { diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 25340c5f59e8..cc565d71846b 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: m365_defender title: Microsoft M365 Defender -version: "1.12.0" +version: "1.13.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" @@ -120,5 +120,9 @@ screenshots: title: Microsoft 365 Defender Email Events Dashboard Screenshot size: 600x600 type: image/png + - src: /img/m365-defender-dashboard-incident.png + title: Microsoft 365 Defender Incident Dashboard Screenshot + size: 600x600 + type: image/png owner: github: elastic/security-external-integrations diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 4aa1446b35dc..65a90bd6087f 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Convert dashboards to Lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/6932 - version: "1.10.0" changes: - description: Ensure event.kind is correctly set for pipeline errors. diff --git a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json index f08c3cea9fe4..99e8ccffd8aa 100644 --- a/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json +++ b/packages/sentinel_one/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json @@ -1,7 +1,6 @@ { "attributes": { "description": "", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -36,6 +35,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -57,7 +58,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "58329672-9ca4-4454-9d78-c619ef956a6a": { "columnOrder": [ @@ -87,12 +88,15 @@ "visualization": { "accessor": "d8990d07-439a-4335-9646-8fbcab6e268d", "layerId": "58329672-9ca4-4454-9d78-c619ef956a6a", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Total Number of Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -105,7 +109,7 @@ }, "panelIndex": "ac59079e-c791-449b-aeeb-d47504921dff", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -130,7 +134,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "01d7bdc3-638b-4d23-9ae6-d24678743470": { "columnOrder": [ @@ -160,7 +164,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": false, "params": { @@ -182,12 +186,15 @@ "visualization": { "accessor": "831e34ee-b0d6-44b1-81b7-2bfee2a628ab", "layerId": "01d7bdc3-638b-4d23-9ae6-d24678743470", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Total Resolved Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {} }, @@ -200,7 +207,7 @@ }, "panelIndex": "1684da14-7484-42a6-91d6-b9659883e20d", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -225,7 +232,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849": { "columnOrder": [ @@ -255,7 +262,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": false, "params": { @@ -277,12 +284,15 @@ "visualization": { "accessor": "f3d83b7a-fc35-4c85-83f8-b41e12baddf6", "layerId": "8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Unresolved Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -297,7 +307,7 @@ "panelIndex": "030f8164-5e7d-4fb6-a779-d0537748a819", "title": "Total Unresolved Threats [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -327,7 +337,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6f8f021f-aef7-458f-a0bb-445bd78741db": { "columnOrder": [ @@ -357,7 +367,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": false, "params": { @@ -378,7 +388,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "filter-index-pattern-1", "key": "sentinel_one.threat.mitigation.status", "negate": false, "params": { @@ -400,12 +410,15 @@ "visualization": { "accessor": "1ede434b-a316-4e79-85b6-ffbfc41f379a", "layerId": "6f8f021f-aef7-458f-a0bb-445bd78741db", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Active Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -420,7 +433,7 @@ "panelIndex": "075409b1-9d74-4399-8348-3101a2d22392", "title": "Active Threats [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -450,7 +463,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "31be526e-c389-4f6d-93e8-27f1b7dcd0d0": { "columnOrder": [ @@ -480,7 +493,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": true, "params": { @@ -501,7 +514,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "filter-index-pattern-1", "key": "sentinel_one.threat.mitigation.status", "negate": false, "params": { @@ -523,12 +536,15 @@ "visualization": { "accessor": "8ae53844-358d-4472-9d64-d7c2708fc29c", "layerId": "31be526e-c389-4f6d-93e8-27f1b7dcd0d0", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Blocked Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -543,7 +559,7 @@ "panelIndex": "3ff8c08e-3a29-488c-b481-9b51accaae95", "title": "Total Blocked Threats [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -573,7 +589,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1c27890e-f153-4984-8c2f-6004a3779f71": { "columnOrder": [ @@ -603,7 +619,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.mitigation.status", "negate": false, "params": { @@ -624,7 +640,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "filter-index-pattern-1", "key": "sentinel_one.threat.incident.status", "negate": true, "params": { @@ -646,12 +662,15 @@ "visualization": { "accessor": "eb8375d7-8836-43bb-840a-88c8c2f11b43", "layerId": "1c27890e-f153-4984-8c2f-6004a3779f71", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Mitigated Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -666,7 +685,7 @@ "panelIndex": "d2411b38-52ad-47c2-b364-f1f42b7cd26a", "title": "Total Mitigated Threats [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -696,7 +715,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "98a05273-ef46-4b59-8caa-86b7de9c9724": { "columnOrder": [ @@ -726,7 +745,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": true, "params": { @@ -747,7 +766,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-1", + "index": "filter-index-pattern-1", "key": "sentinel_one.agent.console_migration_status", "negate": false, "params": { @@ -769,12 +788,15 @@ "visualization": { "accessor": "9295a43b-ccd0-4d23-abf8-73586af8dac7", "layerId": "98a05273-ef46-4b59-8caa-86b7de9c9724", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "Detected - Suspicious Threats [Logs SentinelOne]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -789,7 +811,110 @@ "panelIndex": "14069c35-b940-4540-82f8-1ef2bb73dfe1", "title": "Total Detected - Suspicious Threats [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ec6bf891-aedf-4b92-af42-54c04e749174": { + "columnOrder": [ + "7dc311c6-df3f-40ca-88e5-3925010191be", + "9934d429-8319-435c-8c72-57a56541dfcb" + ], + "columns": { + "7dc311c6-df3f-40ca-88e5-3925010191be": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Engine Detections", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9934d429-8319-435c-8c72-57a56541dfcb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.threat.detection.engines.title" + }, + "9934d429-8319-435c-8c72-57a56541dfcb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "sentinel_one.threat.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "ec6bf891-aedf-4b92-af42-54c04e749174", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "auto", + "metrics": [ + "9934d429-8319-435c-8c72-57a56541dfcb" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "7dc311c6-df3f-40ca-88e5-3925010191be" + ] + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Detections by Engine [Logs SentinelOne]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "14523f88-ccbb-45bc-9758-7263315630cb", + "w": 24, + "x": 0, + "y": 14 + }, + "panelIndex": "14523f88-ccbb-45bc-9758-7263315630cb", + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -814,7 +939,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9d8d04b8-42e9-488a-9c18-39f38153e46a": { "columnOrder": [ @@ -864,7 +989,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.incident.status", "negate": true, "params": { @@ -899,6 +1024,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -927,107 +1053,7 @@ }, "panelIndex": "213a2279-8bb5-491b-b0f0-d5a7a2473670", "type": "lens", - "version": "7.17.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ec6bf891-aedf-4b92-af42-54c04e749174": { - "columnOrder": [ - "7dc311c6-df3f-40ca-88e5-3925010191be", - "9934d429-8319-435c-8c72-57a56541dfcb" - ], - "columns": { - "7dc311c6-df3f-40ca-88e5-3925010191be": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Engine Detections", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9934d429-8319-435c-8c72-57a56541dfcb", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "sentinel_one.threat.detection.engines.title" - }, - "9934d429-8319-435c-8c72-57a56541dfcb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "sentinel_one.threat.id" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "7dc311c6-df3f-40ca-88e5-3925010191be" - ], - "layerId": "ec6bf891-aedf-4b92-af42-54c04e749174", - "layerType": "data", - "legendDisplay": "default", - "metric": "9934d429-8319-435c-8c72-57a56541dfcb", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Detections by Engine [Logs SentinelOne]", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "14523f88-ccbb-45bc-9758-7263315630cb", - "w": 24, - "x": 0, - "y": 14 - }, - "panelIndex": "14523f88-ccbb-45bc-9758-7263315630cb", - "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1052,7 +1078,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f83c655e-003c-4cc5-a2e3-789acb23b691": { "columnOrder": [ @@ -1108,7 +1134,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.agent.is_active", "negate": false, "type": "exists" @@ -1128,15 +1154,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d427f2bd-912c-476e-85a7-3110216b3b8d" - ], "layerId": "f83c655e-003c-4cc5-a2e3-789acb23b691", "layerType": "data", "legendDisplay": "default", - "metric": "7fead18f-d40b-4539-ace7-5328e84140d2", + "legendSize": "auto", + "metrics": [ + "7fead18f-d40b-4539-ace7-5328e84140d2" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d427f2bd-912c-476e-85a7-3110216b3b8d" + ] } ], "shape": "pie" @@ -1158,7 +1187,7 @@ }, "panelIndex": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1178,7 +1207,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "6f4336e8-7451-476e-89a5-fe65d93be571": { "columnOrder": [ @@ -1229,15 +1258,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "59424e47-b686-440e-b754-51a079ad1417" - ], "layerId": "6f4336e8-7451-476e-89a5-fe65d93be571", "layerType": "data", "legendDisplay": "default", - "metric": "7c71fee2-7e8b-48d2-8344-767b3e76f207", + "legendSize": "auto", + "metrics": [ + "7c71fee2-7e8b-48d2-8344-767b3e76f207" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "59424e47-b686-440e-b754-51a079ad1417" + ] } ], "shape": "pie" @@ -1258,7 +1290,7 @@ }, "panelIndex": "0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1278,7 +1310,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd": { "columnOrder": [ @@ -1329,15 +1361,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "039a2941-5111-4bf1-a02a-af4a8fe09609" - ], "layerId": "c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", "layerType": "data", "legendDisplay": "default", - "metric": "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43", + "legendSize": "auto", + "metrics": [ + "86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "039a2941-5111-4bf1-a02a-af4a8fe09609" + ] } ], "shape": "pie" @@ -1358,7 +1393,7 @@ }, "panelIndex": "accf3797-c215-44a4-829d-c9ff30758f7b", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1378,7 +1413,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a64559b1-90c9-4859-9d5f-2585172bcda4": { "columnOrder": [ @@ -1441,6 +1476,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1469,7 +1505,7 @@ }, "panelIndex": "301b13f1-59c8-40e0-80f8-ecc1892b938d", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1489,7 +1525,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "da28cab9-5d08-4b0b-bbd6-2cf9952051b2": { "columnOrder": [ @@ -1552,6 +1588,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1580,7 +1617,7 @@ }, "panelIndex": "b8f90700-ca73-40c7-9257-8612aa86cc9f", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1600,7 +1637,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "87c51fc8-6c57-4d1c-a3f5-8b420f1d392c": { "columnOrder": [ @@ -1663,6 +1700,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1691,7 +1729,7 @@ }, "panelIndex": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1711,7 +1749,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "3f121a5b-0179-4329-a945-a3d23d83172f": { "columnOrder": [ @@ -1770,7 +1808,9 @@ } ], "layerId": "3f121a5b-0179-4329-a945-a3d23d83172f", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Top 10 File Extension [Logs SentinelOne]", @@ -1788,7 +1828,7 @@ }, "panelIndex": "ed9a7061-e640-41f3-a838-3772f86e4be4", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -1808,7 +1848,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8": { "columnOrder": [ @@ -1871,6 +1911,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1901,78 +1942,120 @@ "panelIndex": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4", "title": "Distribution of Threats by Incident Status [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Count", - "field": "sentinel_one.threat.id" - }, - "schema": "metric", - "type": "cardinality" + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-72498694-dd0d-4f76-9d38-d0e7a211b6a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "72498694-dd0d-4f76-9d38-d0e7a211b6a9": { + "columnOrder": [ + "872c0c1b-aedd-4cf0-a98a-60443e689fc5", + "7d83b2e8-f6df-4b3e-868c-9452cf579fb0" + ], + "columns": { + "7d83b2e8-f6df-4b3e-868c-9452cf579fb0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "872c0c1b-aedd-4cf0-a98a-60443e689fc5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Technique ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7d83b2e8-f6df-4b3e-868c-9452cf579fb0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Technique Name", - "field": "threat.technique.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" + "textBased": { + "layers": {} } - ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "7d83b2e8-f6df-4b3e-868c-9452cf579fb0", + "isTransposed": false + }, + { + "columnId": "872c0c1b-aedd-4cf0-a98a-60443e689fc5", + "isTransposed": false + } + ], + "layerId": "72498694-dd0d-4f76-9d38-d0e7a211b6a9", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 } } }, - "description": "", - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "default", - "type": "palette" - }, - "scale": "linear", - "showLabel": true - }, - "title": "Top 10 Threat Techniques [Logs SentinelOne]", - "type": "tagcloud", - "uiState": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "6d788430-6b2b-4e7c-9468-36b0aebf8468", + "i": "3e6f6367-85e2-45ee-a9c2-a14d5739f952", "w": 24, "x": 0, "y": 89 }, - "panelIndex": "6d788430-6b2b-4e7c-9468-36b0aebf8468", - "type": "visualization", - "version": "7.17.0" + "panelIndex": "3e6f6367-85e2-45ee-a9c2-a14d5739f952", + "title": "Top 10 Threat Techniques [Logs SentinelOne]", + "type": "lens", + "version": "8.7.1" }, { "embeddableConfig": { @@ -1997,7 +2080,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "71ff1569-960a-408c-8e00-df6b68186912": { "columnOrder": [ @@ -2053,7 +2136,7 @@ "meta": { "alias": null, "disabled": false, - "indexRefName": "filter-index-pattern-0", + "index": "filter-index-pattern-0", "key": "sentinel_one.threat.agent.infected", "negate": false, "type": "exists" @@ -2073,15 +2156,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "9a221d90-b37c-4947-899a-a8806d7d25f1" - ], "layerId": "71ff1569-960a-408c-8e00-df6b68186912", "layerType": "data", "legendDisplay": "default", - "metric": "d24c6b72-358d-4f01-ade3-cf9c228946e0", + "legendSize": "auto", + "metrics": [ + "d24c6b72-358d-4f01-ade3-cf9c228946e0" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "9a221d90-b37c-4947-899a-a8806d7d25f1" + ] } ], "shape": "pie" @@ -2104,7 +2190,7 @@ "panelIndex": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3", "title": "Distribution of Threats by Infected Agents [Logs SentinelOne]", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { @@ -2124,7 +2210,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9fe7a9cc-3417-4166-bdfc-5cdb85599981": { "columnOrder": [ @@ -2183,7 +2269,9 @@ } ], "layerId": "9fe7a9cc-3417-4166-bdfc-5cdb85599981", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "Distribution of Threats by Detection Engine [Logs SentinelOne] ", @@ -2201,88 +2289,130 @@ }, "panelIndex": "6080a8f0-54d7-4fae-884f-f34dbed69ea8", "type": "lens", - "version": "7.17.0" + "version": "8.7.1" }, { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Count", - "field": "sentinel_one.threat.id" - }, - "schema": "metric", - "type": "cardinality" + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7cff55a3-869c-4529-a8bf-39b8d5ad3fa1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7cff55a3-869c-4529-a8bf-39b8d5ad3fa1": { + "columnOrder": [ + "32957c07-beb9-4cc6-99a8-f6e1c686c105", + "92c9fb3d-991c-4c5e-b5e4-f73d60aed93f" + ], + "columns": { + "32957c07-beb9-4cc6-99a8-f6e1c686c105": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Classification", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "92c9fb3d-991c-4c5e-b5e4-f73d60aed93f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "sentinel_one.threat.classification" + }, + "92c9fb3d-991c-4c5e-b5e4-f73d60aed93f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Threat Classification", - "field": "sentinel_one.threat.classification", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" + "textBased": { + "layers": {} } - ], - "searchSource": { - "filter": [], - "index": "logs-*", - "query": { - "language": "kuery", - "query": "" + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "32957c07-beb9-4cc6-99a8-f6e1c686c105" + }, + { + "columnId": "92c9fb3d-991c-4c5e-b5e4-f73d60aed93f" + } + ], + "layerId": "7cff55a3-869c-4529-a8bf-39b8d5ad3fa1", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 } } }, - "description": "", - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "default", - "type": "palette" - }, - "scale": "linear", - "showLabel": true - }, - "title": "Top Threats by Classification [Logs SentinelOne]", - "type": "tagcloud", - "uiState": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "55d0b7da-986b-4e98-b476-f3768233dc8f", + "i": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe", "w": 24, "x": 24, "y": 104 }, - "panelIndex": "55d0b7da-986b-4e98-b476-f3768233dc8f", - "type": "visualization", - "version": "7.17.0" + "panelIndex": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe", + "title": "Top 10 Threats by Classification [Logs SentinelOne]", + "type": "lens", + "version": "8.7.1" } ], "timeRestore": false, "title": "[Logs SentinelOne] Threats", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.7.1", + "created_at": "2023-07-12T11:18:11.726Z", "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", "migrationVersion": { - "dashboard": "7.17.0" + "dashboard": "8.7.0" }, "references": [ { @@ -2412,27 +2542,27 @@ }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-current-indexpattern", + "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", + "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", "type": "index-pattern" }, { "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:filter-index-pattern-0", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-current-indexpattern", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", "type": "index-pattern" }, { "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", + "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:filter-index-pattern-0", "type": "index-pattern" }, { @@ -2522,7 +2652,7 @@ }, { "id": "logs-*", - "name": "6d788430-6b2b-4e7c-9468-36b0aebf8468:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "3e6f6367-85e2-45ee-a9c2-a14d5739f952:indexpattern-datasource-layer-72498694-dd0d-4f76-9d38-d0e7a211b6a9", "type": "index-pattern" }, { @@ -2552,7 +2682,7 @@ }, { "id": "logs-*", - "name": "55d0b7da-986b-4e98-b476-f3768233dc8f:kibanaSavedObjectMeta.searchSourceJSON.index", + "name": "f7c0e875-f75f-4d06-b4dd-a8e50965eabe:indexpattern-datasource-layer-7cff55a3-869c-4529-a8bf-39b8d5ad3fa1", "type": "index-pattern" } ], diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 1c545eb742d6..c74015a8f2dc 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: sentinel_one title: SentinelOne -version: "1.10.0" +version: "1.11.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml index 7be4afaf12a0..985597b46f77 100644 --- a/packages/slack/changelog.yml +++ b/packages/slack/changelog.yml @@ -1,9 +1,14 @@ # newer versions go on top -- version: "1.7.1" +- version: "1.7.2" changes: - description: Fix handling of API query param 'oldest' type: bugfix link: https://github.com/elastic/integrations/pull/6958 +- version: "1.7.1" + changes: + - description: Parse action_timestamp values as microseconds since unix epoch. + type: bugfix + link: https://github.com/elastic/integrations/pull/6965 - version: "1.7.0" changes: - description: Document valid duration units. diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log index 7316bf4113ac..194b56eda8f3 100644 --- a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -2,3 +2,4 @@ {"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}} {"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836275,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28060-1659-4b27-ad55-fdba12e3a7b1"} {"id":"16f5fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1673631531,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}} +{"action":"anomaly","actor":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"context":{"ip_address":"192.168.220.224","location":{"domain":"example","id":"Z0937DXQX","name":"Acme","type":"workspace"},"session_id":9982493323637,"ua":"com.tinyspeck.chatlyio/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)"},"date_create":1689249764,"details":{"action_timestamp":1689249716345113,"location":"Tokyo, JP","previous_ip_address":"192.168.79.87","previous_ua":"com.tinyspeck.chatlyio.NotificationService/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)","reason":["asn","ip_address"]},"entity":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"id":"abc8e17e-c081-4b82-a515-4c54674e3de4"} \ No newline at end of file diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 9902f0b65ad7..6f6adff8a2ad 100644 --- a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -329,6 +329,79 @@ }, "version": "23.0." } + }, + { + "@timestamp": "2023-07-13T12:01:56.345113Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "action": "anomaly", + "id": "abc8e17e-c081-4b82-a515-4c54674e3de4", + "kind": "event", + "original": "{\"action\":\"anomaly\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"john@example.com\",\"id\":\"U04V6RBUPAK\",\"name\":\"John Doe\",\"team\":\"Z0937DXQX\"}},\"context\":{\"ip_address\":\"192.168.220.224\",\"location\":{\"domain\":\"example\",\"id\":\"Z0937DXQX\",\"name\":\"Acme\",\"type\":\"workspace\"},\"session_id\":9982493323637,\"ua\":\"com.tinyspeck.chatlyio/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)\"},\"date_create\":1689249764,\"details\":{\"action_timestamp\":1689249716345113,\"location\":\"Tokyo, JP\",\"previous_ip_address\":\"192.168.79.87\",\"previous_ua\":\"com.tinyspeck.chatlyio.NotificationService/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)\",\"reason\":[\"asn\",\"ip_address\"]},\"entity\":{\"type\":\"user\",\"user\":{\"email\":\"john@example.com\",\"id\":\"U04V6RBUPAK\",\"name\":\"John Doe\",\"team\":\"Z0937DXQX\"}},\"id\":\"abc8e17e-c081-4b82-a515-4c54674e3de4\"}", + "type": "info" + }, + "related": { + "ip": [ + "192.168.220.224" + ], + "user": [ + "U04V6RBUPAK", + "john@example.com" + ] + }, + "slack": { + "audit": { + "context": { + "domain": "example", + "id": "Z0937DXQX", + "name": "Acme", + "session_id": "9982493323637", + "type": "workspace" + }, + "details": { + "location": "Tokyo, JP", + "previous_ip_address": "192.168.79.87", + "previous_user_agent": "com.tinyspeck.chatlyio.NotificationService/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)", + "reason": [ + "asn", + "ip_address" + ] + }, + "entity": { + "email": "john@example.com", + "entity_type": "user", + "id": "U04V6RBUPAK", + "name": "John Doe", + "team": "Z0937DXQX" + } + } + }, + "source": { + "address": "192.168.220.224", + "ip": "192.168.220.224" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "john@example.com", + "full_name": "John Doe", + "id": "U04V6RBUPAK" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari UI/WKWebView", + "original": "com.tinyspeck.chatlyio/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)", + "os": { + "full": "iOS 16.5.1", + "name": "iOS", + "version": "16.5.1" + } + } } ] } \ No newline at end of file diff --git a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 34d9aa3edda2..800b9346c8ea 100644 --- a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -138,6 +138,15 @@ processors: field: json.details.reason target_field: slack.audit.details.reason ignore_missing: true +- script: + if: ctx.json?.details?.action_timestamp != null && ctx.json.details.action_timestamp > 1e13 + description: Parse action_timestamp as microseconds since unix epoch. + tag: action-timestamp-microseconds + source: | + def secs = (long)(ctx.json.details.action_timestamp/1e6); + def nanos = (long)(ctx.json.details.action_timestamp % 1e6) * 1000; + ctx["@timestamp"] = Instant.ofEpochSecond(secs, nanos).atZone(ZoneId.of("UTC")); + ctx.json.details.remove("action_timestamp"); - date: if: ctx.json?.details?.action_timestamp != null field: json.details.action_timestamp diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml index 8a4179da7256..d574224d94e5 100644 --- a/packages/slack/manifest.yml +++ b/packages/slack/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: slack title: "Slack Logs" -version: "1.7.1" +version: "1.7.2" license: basic release: ga description: "Slack Logs Integration" diff --git a/packages/sql_input/agent/input/input.yml.hbs b/packages/sql_input/agent/input/input.yml.hbs index 85ac2a9e4003..2f2e91d95699 100644 --- a/packages/sql_input/agent/input/input.yml.hbs +++ b/packages/sql_input/agent/input/input.yml.hbs @@ -7,5 +7,6 @@ driver: {{driver}} sql_queries: {{sql_queries}} raw_data.enabled: true period: {{period}} +merge_results: {{merge_results}} data_stream: dataset: {{data_stream.dataset}} diff --git a/packages/sql_input/changelog.yml b/packages/sql_input/changelog.yml index e43ababf552e..b85424690193 100644 --- a/packages/sql_input/changelog.yml +++ b/packages/sql_input/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: Add merge_results feature + type: enhancement + link: https://github.com/elastic/integrations/pull/6922 - version: "0.2.1" changes: - description: Add system test cases. diff --git a/packages/sql_input/docs/README.md b/packages/sql_input/docs/README.md index 7982387d196a..07be686c844f 100644 --- a/packages/sql_input/docs/README.md +++ b/packages/sql_input/docs/README.md @@ -81,3 +81,25 @@ Expects any number of columns. This mode generates a single event for each row. For more examples of response format pelase refer [here](https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-sql.html) + +### Merge Results +Merge multiple queries into a single event. + +Multiple queries will create multiple events, one for each query. It may be preferable to create a single event by combining the metrics together in a single event. + +This feature can be enabled using the `merge_results` config. + +`merge_results` can merge queries having response format as "variable". +However, for queries with a response format as "table", a merge is possible only if each table query produces a single row. + +For example, if we have 2 queries as below for PostgreSQL: + +sql_queries: + - query: "SELECT blks_hit,blks_read FROM pg_stat_database LIMIT 1;" + response_format: table + + - query: "SELECT checkpoints_timed,checkpoints_req FROM pg_stat_bgwriter;" + response_format: table + +The `merge_results` feature will create a combined event, where `blks_hit`, `blks_read`, `checkpoints_timed` and `checkpoints_req` are part of the same event. + diff --git a/packages/sql_input/manifest.yml b/packages/sql_input/manifest.yml index ab3fbc743a5c..2e6021fa6e6d 100644 --- a/packages/sql_input/manifest.yml +++ b/packages/sql_input/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.0.0 name: sql title: "SQL Input" -version: "0.2.1" +version: "0.3.0" description: "Collects Metrics by Quering on SQL Databases" type: input categories: @@ -48,5 +48,13 @@ policy_templates: required: true show_user: true default: "- query: SHOW GLOBAL STATUS LIKE 'Innodb_system%'\n response_format: variables\n \n" + - name: merge_results + type: bool + title: Merge Results + multi: false + required: false + show_user: false + default: false + description: Merge results from multiple queries to a single event (restrictions apply) owner: github: elastic/obs-infraobs-integrations diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 4cfa8ad09b11..440a8523e9da 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.36.1" + changes: + - description: Fix EventIDs for Users Added to Group panel + type: bugfix + link: https://github.com/elastic/integrations/pull/6280 - version: "1.36.0" changes: - description: Revert changes to permissions to reroute events to logs-*-* for syslog datastream diff --git a/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json index 9146a205bc83..656c57612a93 100644 --- a/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ b/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json @@ -3948,7 +3948,7 @@ "dataType": "number", "filter": { "language": "kuery", - "query": "event.code:4731 OR event.code:4727 OR event.code:\"4754\" OR event.code:\"4749\" OR event.code:\"4759\" OR event.code:\"4744\" OR event.code:\"4783\" OR event.code:\"4790\"" + "query": "event.code:4732 OR event.code:4728 OR event.code:\"4756\" OR event.code:\"4751\" OR event.code:\"4761\" OR event.code:\"4746\" OR event.code:\"4785\" OR event.code:\"4787\"" }, "isBucketed": false, "label": "Users Added to Group", diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 31033ab33858..953c7985f486 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.36.0 +version: 1.36.1 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration diff --git a/packages/ti_util/changelog.yml b/packages/ti_util/changelog.yml index 38a4d9094a68..994349ef9261 100644 --- a/packages/ti_util/changelog.yml +++ b/packages/ti_util/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.2" + changes: + - description: Update to use new Threat Indicator Match rule names. + type: bugfix + link: https://github.com/elastic/integrations/pull/6942 - version: "1.2.1" changes: - description: Update to use security-solution-default. diff --git a/packages/ti_util/kibana/dashboard/ti_util-9eff2529-fff5-4064-b825-fa089f260bfa.json b/packages/ti_util/kibana/dashboard/ti_util-9eff2529-fff5-4064-b825-fa089f260bfa.json index 5ea9cf3704fa..5bcb71a4c9cf 100644 --- a/packages/ti_util/kibana/dashboard/ti_util-9eff2529-fff5-4064-b825-fa089f260bfa.json +++ b/packages/ti_util/kibana/dashboard/ti_util-9eff2529-fff5-4064-b825-fa089f260bfa.json @@ -216,14 +216,39 @@ "index": "c4f72a3f-d887-4210-8a8c-a7580687c5d3", "key": "kibana.alert.rule.name", "negate": false, - "params": { - "query": "Threat Intel Indicator Match" - }, - "type": "phrase" + "params": [ + "Threat Intel IP Address Indicator Match", + "Threat Intel Hash Indicator Match", + "Threat Intel Windows Registry Indicator Match", + "Threat Intel URL Indicator Match" + ], + "type": "phrases" }, "query": { - "match_phrase": { - "kibana.alert.rule.name": "Threat Intel Indicator Match" + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel IP Address Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel Hash Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel Windows Registry Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel URL Indicator Match" + } + } + ] } } } @@ -797,14 +822,39 @@ "index": "69de1ad2-e63e-4d3f-bd3a-0531efbf7b2f", "key": "kibana.alert.rule.name", "negate": false, - "params": { - "query": "Threat Intel Indicator Match" - }, - "type": "phrase" + "params": [ + "Threat Intel IP Address Indicator Match", + "Threat Intel Hash Indicator Match", + "Threat Intel Windows Registry Indicator Match", + "Threat Intel URL Indicator Match" + ], + "type": "phrases" }, "query": { - "match_phrase": { - "kibana.alert.rule.name": "Threat Intel Indicator Match" + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel IP Address Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel Hash Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel Windows Registry Indicator Match" + } + }, + { + "match_phrase": { + "kibana.alert.rule.name": "Threat Intel URL Indicator Match" + } + } + ] } } } diff --git a/packages/ti_util/manifest.yml b/packages/ti_util/manifest.yml index 4ffec79664b3..5d29c2bf5088 100644 --- a/packages/ti_util/manifest.yml +++ b/packages/ti_util/manifest.yml @@ -1,12 +1,12 @@ name: ti_util title: "Threat Intelligence Utilities" -version: 1.2.1 +version: 1.2.2 description: Prebuilt Threat Intelligence dashboard for Elastic Security categories: - security - threat_intel conditions: - kibana.version: ^8.4.0 + kibana.version: ^8.5.0 format_version: 2.7.0 type: integration screenshots: