[Network Packet Capture] Convert Dashboards to lens, add pipeline errors and format_versions

[P1llus]

What does this PR do?

This is part of a bigger cleanup that relates to https://github.com/elastic/security-team/issues/5910.

The tasks, when applicable was:

• Update format_version to 2.6.0+
• Update on_failure to include proper event.kind.
• Update on_failure error message to be more descriptive
• Add processor tags for on_failure message
• If system/pipeline tests are missing, add them when possible. (Removed one broken)
• If dashboards exist, replace with lens when needed, update dashboards if applicable.

Dashboard changes:

1. All table of contents.
2. Convert all to lens.
3. Add/remove/rename certain visualizations to fit the layout and usefulness better
4. Changed layout a bit.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Testing

Use commit 70d11d1 for testing
I have temporarily added interface options to each datastream to help with testing, it will be removed before merging. The steps to test this is:

1. Copy the PCAP files not including the folder, from the _dev/deploy/docker/pcaps/* folder to ~/.elastic-package/tmp/service_logs/*
2. Bring up the stack (version 8.6.2).
3. Once everything is up and healthy, you can run the below snippet in Kibana Dev tools. It will update the agent policy to enable all protocols, and point them to their respective pcap files.
   One note, is that since we have to use a direct reference to the pcap files, if you want to ingest more test-data, you would have to manually update the agent policy, and change the path to another pcap, save, wait for the ingest to finish, then change it again etc.

EDIT: Updated step 1, to make it more specific.

Test policy:

POST kbn:/api/fleet/package_policies
{
  "policy_id": "elastic-agent-managed-ep",
  "package": {
    "name": "network_traffic",
    "version": "1.16.0"
  },
  "name": "network_traffic-1",
  "description": "",
  "namespace": "default",
  "inputs": {
    "network-packet": {
      "enabled": true,
      "vars": {
        "never_install": false
      },
      "streams": {
        "network_traffic.amqp": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/amqp_channel_error.pcap",
            "port": [
              5672
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.cassandra": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/cassandra_mixed_frame.pcap",
            "port": [
              9042
            ],
            "geoip_enrich": true,
            "ignored_ops": [],
            "tags": []
          }
        },
        "network_traffic.dhcpv4": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/dhcp.pcap",
            "port": [
              67,
              68
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.dns": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/dns_ns.pcap",
            "port": [
              53
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.flow": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/http_10_connection_close.pcap",
            "geoip_enrich": true,
            "period": "10s",
            "timeout": "30s",
            "tags": []
          }
        },
        "network_traffic.http": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/http_10_connection_close.pcap",
            "port": [
              80,
              8080,
              8000,
              5000,
              8002
            ],
            "hide_keywords": [],
            "send_headers": [],
            "redact_headers": [],
            "include_body_for": [],
            "include_request_body_for": [],
            "include_response_body_for": [],
            "tags": []
          }
        },
        "network_traffic.icmp": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/icmp4_ping_over_vlan.pcap",
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.memcached": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/memcache_bin_tcp_stats.pcap",
            "port": [
              11211
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.mongodb": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/mongo_3.0_session.pcap",
            "port": [
              27017
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.mysql": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/mysql_long.pcap",
            "port": [
              3306,
              3307
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.nfs": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/nfs_v4.pcap",
            "port": [
              2049
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.pgsql": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/pgsql_long_result.pcap",
            "port": [
              5432
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.redis": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/redis_session.pcap",
            "port": [
              "6380"
            ],
            "geoip_enrich": true,
            "tags": []
          }
        },
        "network_traffic.sip": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/sip.pcap",
            "port": [
              5060
            ],
            "geoip_enrich": true,
            "use_tcp": false,
            "tags": []
          }
        },
        "network_traffic.thrift": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/thrift_integration.pcap",
            "port": [
              9090
            ],
            "geoip_enrich": true,
            "idl_files": [],
            "tags": []
          }
        },
        "network_traffic.tls": {
          "enabled": true,
          "vars": {
            "interface": "/tmp/service_logs/tls-version-13.pcap",
            "port": [
              443,
              993,
              995,
              5223,
              8443,
              8883,
              9243
            ],
            "geoip_enrich": true,
            "fingerprints": [],
            "tags": []
          }
        }
      }
    }
  }
}

Related issues

• Relates [Network Traffic] Convert dashboards and formatting of package #6106

Screenshots (Somewhat limited due to test data available, but working fine).

Overview

Mysql:

NFS:

PGSQL:

Thrift:

Cassandra:

DHCP:

DNS:

HTTP:

MongoDB:

[P1llus]

Initial Draft added everything except dashboards, next commits will add them in, will keep it in draft for now

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-05-15T10:51:28.889+0000

• Duration: 58 min 54 sec

Test stats 🧪

Test	Results
Failed	0
Passed	153
Skipped	0
Total	153

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (0/0)	💚
Files	100.0% (0/0)	💚
Classes	100.0% (0/0)	💚
Methods	75.0% (48/64)	👎 -21.154
Lines	100.0% (0/0)	💚
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[P1llus]

This does not include data views yet, to fix field collisions with Cloud Securiry Posture, will look into that before merging.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

This will be removed before merge, its to help with people testing, see PR description.
While we would have wanted this to be included, apparently packetbeat do not support different interfaces for different protocols, but it does work with pcaps.

[P1llus]

Added new and better screenshots, Tests are most likely failing due to the test specific commit I added in, it will go back to green once its removed (once people have had the oppertunity to test)

[P1llus]

Seems like some of the filters even references dataviews, will have to re-add all filters to remove any reference to logs-*

[elasticmachine]

Package network_traffic - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=network_traffic