[SIEM] Overview Page - Expand Winlogbeat Stats #54938

andrewkroh · 2020-01-15T17:36:31Z

The overview page has stats about various data sources. For Winlogbeat I think it would be good to show the number of events Winlogbeat is getting from the Security and Microsoft-Windows-Sysmon/Operational channels.

This query returns those stats:

GET winlogbeat-*/_search
{
  "query": {
    "terms": {
      "winlog.channel": [
        "Microsoft-Windows-Sysmon/Operational",
        "Security"
      ]
    }
  },
  "aggs": {
    "event_count": {
      "terms": {
        "field": "winlog.channel"
      }
    }
  },
  "size": 0
}

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-01-15T17:36:33Z

Pinging @elastic/siem (Team:SIEM)

andrewkroh added the Team:SIEM label Jan 15, 2020

patrykkopycinski self-assigned this Jan 23, 2020

patrykkopycinski mentioned this issue Jan 23, 2020

[SIEM] Overview Page - Expand Winlogbeat Stats #55696

Merged

7 tasks

MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020

buzzdeee mentioned this issue Dec 2, 2020

[Security Solution] Stats for Microsoft-Windows-Sysmon/Operational always 0 in Overview page #84755

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SIEM] Overview Page - Expand Winlogbeat Stats #54938

[SIEM] Overview Page - Expand Winlogbeat Stats #54938

andrewkroh commented Jan 15, 2020

elasticmachine commented Jan 15, 2020

[SIEM] Overview Page - Expand Winlogbeat Stats #54938

[SIEM] Overview Page - Expand Winlogbeat Stats #54938

Comments

andrewkroh commented Jan 15, 2020

elasticmachine commented Jan 15, 2020