Skip to content

Entity Analytics 9.4 updates for UEBA integrations #17626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jmcarlock wants to merge 43 commits into
base: main
Choose a base branch
from
Open

Entity Analytics 9.4 updates for UEBA integrations #17626

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
7c853a9
Add EUIDs
jmcarlock Mar 2, 2026
a05dfa5
fix indentation
jmcarlock Mar 3, 2026
48c3abe
fix indentation
jmcarlock Mar 3, 2026
d3ddf59
update dashboards
jmcarlock Mar 3, 2026
ebdf1e8
add dashboard changes for host traffic anomalies package
jmcarlock Mar 3, 2026
6b14d8f
restore host.name/user.name in influencers
jmcarlock Mar 4, 2026
4688350
update ML anomalies datastream index pattern
jmcarlock Mar 9, 2026
8447f3e
rename files for EA changes
jmcarlock Mar 9, 2026
f26acb5
rollback EUID changes, add required fields for entity resolution, cha…
jmcarlock Mar 9, 2026
b1d11be
roll back minumum stack version changes
jmcarlock Mar 9, 2026
a7b851a
Merge branch 'main' into ueba-9.4-euid-update
jmcarlock Mar 9, 2026
c1a9f4f
update hta
jmcarlock Mar 10, 2026
fd49b30
remove `agent.name` from PAD windows transform
jmcarlock Mar 10, 2026
c44062e
fix formatting
jmcarlock Mar 10, 2026
40ffa64
Merge branch 'main' into ueba-9.4-euid-update
jmcarlock Mar 10, 2026
5adcdef
update documentation to match kibana PR
jmcarlock Mar 10, 2026
217f67b
fix ml job/transform fields
jmcarlock Mar 12, 2026
6544e7a
fix PAD ML job formatting
jmcarlock Mar 12, 2026
e3b1834
Update changelog links, fix HTA version
jmcarlock Mar 12, 2026
05d7410
fix version in readme
jmcarlock Mar 12, 2026
e606be9
fix version in readme
jmcarlock Mar 12, 2026
ca76ede
Update packages/lmd/docs/README.md
jmcarlock Mar 12, 2026
6967f08
add `host.name` for Okta ML transforms/influencers. fix datafeed for …
jmcarlock Mar 12, 2026
34d07b0
documentation consistency fix
jmcarlock Mar 12, 2026
87b8007
add more verbose descriptions to changelog
jmcarlock Mar 12, 2026
8804e56
fix index pattern in dashboard docs
jmcarlock Mar 12, 2026
c669892
change Okta ML job parition fields to `user.name`, add `user.name` as…
jmcarlock Mar 16, 2026
fbe77bd
add `user.name` to okta pivot transfrorm mappings
jmcarlock Mar 18, 2026
871b1cf
change `on_failure` processor to set as `event.kind` is not an array
jmcarlock Mar 19, 2026
c196362
Fix broken anchor links in detection docs
theletterf Mar 25, 2026
10757b9
Merge main into ueba-9.4-euid-update to resolve conflicts
jmcarlock Mar 25, 2026
6c8c1d7
PAD readme fixes
jmcarlock Mar 25, 2026
9432801
PAD Windows dashboard/rare region job fixes
jmcarlock Mar 26, 2026
1fb8987
add missing by/over/partition field names to influencers
jmcarlock Mar 26, 2026
6bc505c
add additional influencers fields from `field_name`
jmcarlock Mar 26, 2026
883a6a2
Update packages/ded/docs/README.md
jmcarlock Mar 31, 2026
16f3ea6
update readmes for concurrent rule release
jmcarlock Apr 1, 2026
1e9b260
Add filter field data for transforms and jobs to readmes, improve doc…
jmcarlock Apr 6, 2026
559e4bb
bump manifest version/add to changelog for Beaconing
jmcarlock Apr 7, 2026
3ccc6eb
Merge branch 'main' into ueba-9.4-euid-update
jmcarlock Apr 9, 2026
c17b803
bump beaconing transform version to 1.5.4 to match manifest
jmcarlock Apr 10, 2026
a811a31
pin minimum Kibana version to 9.4.0, update documentation
jmcarlock Apr 10, 2026
955169b
Merge branch 'main' into ueba-9.4-euid-update
jmcarlock Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/beaconing/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
- version: "1.5.4"
changes:
- description: Readme improvement
type: enhancement
link: https://github.com/elastic/integrations/pull/17626
- version: "1.5.3"
changes:
- description: Update documentation for blogs
Expand Down
6 changes: 3 additions & 3 deletions packages/beaconing/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@

To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**.

| Transform name | Purpose | Source index | Destination index | Alias | Supported Platforms |
|---------------------------|----------------------------------------------|--------------|-------------------------|------------------|-----------------------|
| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows |
| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category |
|---------------------------|----------------------------------------------|--------------|------------------------|------------------|-----------------------|----------------|
| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows | network |

When querying the destination index to enquire about beaconing activities, we advise using the alias for the destination index (`ml_beaconing.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings.

Check notice on line 39 in packages/beaconing/docs/README.md

View workflow job for this annotation

GitHub Actions / Lint Documentation 

Elastic.Wordiness: Consider using 'if' instead of 'In the event that'.

**Note**: If you want to modify any of the package components, you can install the package manually by following [these steps](https://github.com/elastic/detection-rules/blob/main/docs/experimental-machine-learning/beaconing.md).

Expand Down
6 changes: 3 additions & 3 deletions packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
dest:
index: ml_beaconing-1.5.3
pipeline: 1.5.3-ml_beaconing_ingest_pipeline
index: ml_beaconing-1.5.4
pipeline: 1.5.4-ml_beaconing_ingest_pipeline
aliases:
- alias: ml_beaconing.latest
move_on_creation: true
Expand Down Expand Up @@ -394,5 +394,5 @@ sync:
delay: 120s
field: "@timestamp"
_meta:
fleet_transform_version: 1.5.3
fleet_transform_version: 1.5.4
run_as_kibana_system: false
2 changes: 1 addition & 1 deletion packages/beaconing/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.0
name: beaconing
title: "Network Beaconing Identification"
version: 1.5.3
version: 1.5.4
source:
license: "Elastic-2.0"
description: "Package to identify beaconing activity in your network events."
Expand Down
5 changes: 5 additions & 0 deletions packages/ded/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
- version: "3.0.0"
changes:
- description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards.
type: enhancement
link: https://github.com/elastic/integrations/pull/17626
- version: "2.4.2"
changes:
- description: Update documentation for blogs/data views
Expand Down
78 changes: 58 additions & 20 deletions packages/ded/docs/README.md
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion ...ansform/pivot_transform/fields/fields.yml → ...form/pivot_transform_ea/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
- external: ecs
name: host.name
- external: ecs
name: host.id
- external: ecs
name: user.name
- external: ecs
name: user.id
- external: ecs
name: event.module
- external: ecs
name: event.category
- external: ecs
Expand All @@ -27,4 +33,4 @@
- external: ecs
name: destination.geo.region_name
- external: ecs
name: destination.geo.city_name
name: destination.geo.city_name
19 changes: 14 additions & 5 deletions ...h/transform/pivot_transform/transform.yml → ...ransform/pivot_transform_ea/transform.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@

dest:
index: ml_network_ded-2.4.2
index: ml_network_ded_ea-3.0.0
aliases:
- alias: ml_network_ded.latest
- alias: ml_network_ded_ea.latest
move_on_creation: true
- alias: ml_network_ded.all
- alias: ml_network_ded_ea.all
move_on_creation: false
pipeline: 2.4.2-ml_ded_ingest_pipeline
pipeline: 3.0.0-ml_ded_ingest_pipeline
description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime.
frequency: 30m
pivot:
Expand All @@ -21,9 +21,18 @@ pivot:
'host.name':
terms:
field: host.name
host.id:
terms:
field: host.id
'user.name':
terms:
field: user.name
user.id:
terms:
field: user.id
event.module:
terms:
field: event.module
Comment thread
jmcarlock marked this conversation as resolved.
'network.direction':
terms:
field: network.direction
Expand Down Expand Up @@ -94,5 +103,5 @@ sync:
delay: 120s
field: "@timestamp"
_meta:
fleet_transform_version: 2.4.2
fleet_transform_version: 3.0.0
run_as_kibana_system: false
57 changes: 57 additions & 0 deletions packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"attributes": {
"description": "This dashboard provides an overview of anomalies found for Data Exfiltration Detection package.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"ded_high_sent_bytes_destination_geo_country_iso_code_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_airdrop_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_ea\\\" or job_id: \\\"ded_rare_process_writing_to_external_device_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_ip_ea\\\" or job_id : \\\"ded_high_sent_bytes_destination_port_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_region_name_ea\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}"
},
"optionsJSON": {
"hidePanelTitles": false,
"syncColors": false,
"syncTooltips": false,
"useMargins": true
},
"panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":16,\"h\":8,\"i\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\"},\"panelIndex\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"7236397d-5baf-4a72-b0ca-eb888f30103b\",\"accessor\":\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7236397d-5baf-4a72-b0ca-eb888f30103b\":{\"columns\":{\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":23,\"h\":15,\"i\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\"},\"panelIndex\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b04943cf-244d-4202-a241-5016f157fcf3\",\"isTransposed\":false},{\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\",\"isTransposed\":false}],\"layerId\":\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\":{\"columns\":{\"b04943cf-244d-4202-a241-5016f157fcf3\":{\"label\":\"host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"632aca7c-068e-42ca-ad9b-0533ab38d466\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b04943cf-244d-4202-a241-5016f157fcf3\",\"632aca7c-068e-42ca-ad9b-0533ab38d466\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Hosts Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":15,\"i\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\"},\"panelIndex\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"daaccc7d-bf90-4a63-848e-6181389ee601\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"baa67605-1ebc-418d-bd21-8254b22c0faf\"},{\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daaccc7d-bf90-4a63-848e-6181389ee601\":{\"columns\":{\"baa67605-1ebc-418d-bd21-8254b22c0faf\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"baa67605-1ebc-418d-bd21-8254b22c0faf\",\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Processes Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":23,\"h\":15,\"i\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\"},\"panelIndex\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"f3be7369-746c-4e7e-b75d-c431d55783ec\"},{\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d052422b-7069-4cc7-938c-a7802f3eb8cb\":{\"columns\":{\"f3be7369-746c-4e7e-b75d-c431d55783ec\":{\"label\":\"host.name > user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"524a43f5-836a-4bca-9631-de7fa1e4335d\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f3be7369-746c-4e7e-b75d-c431d55783ec\",\"524a43f5-836a-4bca-9631-de7fa1e4335d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 User-Host Combinations Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":23,\"w\":25,\"h\":15,\"i\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\"},\"panelIndex\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsChoropleth\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f97661af-4480-48ea-85a1-33c65e062d97\",\"layerType\":\"data\",\"regionAccessor\":\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"valueAccessor\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f97661af-4480-48ea-85a1-33c65e062d97\":{\"columns\":{\"6fac8510-1db9-4b36-bb2a-737f6782ef33\":{\"label\":\" destination.geo.country_iso_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_iso_code\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Geo Locations Associated with Data Exfiltration Activity by ISO Code\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":13,\"i\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\"},\"panelIndex\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"isTransposed\":false},{\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\",\"isTransposed\":false}],\"layerId\":\"11e91ade-6c94-46e8-96e7-592f5e522898\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11e91ade-6c94-46e8-96e7-592f5e522898\":{\"columns\":{\"fa763272-957c-4ed5-a494-8ee580023bcc\":{\"label\":\"File name > File path > External device type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file.path\",\"file.Ext.device.bus_type\"]},\"customLabel\":true},\"429585bf-154f-49ec-97cd-009752a01a59\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"429585bf-154f-49ec-97cd-009752a01a59\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 File names, File paths and External device type Combinations Associated with Data Exfiltration Activity\"}]",
Comment thread
jmcarlock marked this conversation as resolved.
"timeRestore": false,
"title": "Data Exfiltration Detection Dashboard (Entity Analytics)",
"version": 2
},
"coreMigrationVersion": "8.5.1",
"id": "ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6",
"migrationVersion": {
"dashboard": "8.5.0"
},
"references": [
{
"id": ".ml-anomalies-shared",
"name": "109fb1af-bae3-45a3-8284-8206b08ca0ca:indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b",
"type": "index-pattern"
},
{
"id": ".ml-anomalies-shared",
"name": "218d787c-8b8a-4c8d-9597-89fde21e354e:indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70",
"type": "index-pattern"
},
{
"id": ".ml-anomalies-shared",
"name": "b7d80672-3c60-441e-9edb-b05fa96e88d1:indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601",
"type": "index-pattern"
},
{
"id": ".ml-anomalies-shared",
"name": "ff5d0e30-1f8f-4577-bd30-8458a3d3f93c:indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb",
"type": "index-pattern"
},
{
"id": ".ml-anomalies-shared",
"name": "cb0d405a-f0d2-4328-a3bc-d50e842749f3:indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97",
"type": "index-pattern"
},
{
"id": ".ml-anomalies-shared",
"name": "c2a276c9-b22f-4791-afd6-e0eee9b6cc05:indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898",
"type": "index-pattern"
}
],
"type": "dashboard"
}
Loading
Loading