diff --git a/filebeat/docs/images/filebeat-threatintel-abuse-malware.png b/filebeat/docs/images/filebeat-threatintel-abuse-malware.png new file mode 100644 index 00000000000..85f0a9d1370 Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-abuse-malware.png differ diff --git a/filebeat/docs/images/filebeat-threatintel-abuse-url.png b/filebeat/docs/images/filebeat-threatintel-abuse-url.png new file mode 100644 index 00000000000..20cf2e6bbd3 Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-abuse-url.png differ diff --git a/filebeat/docs/images/filebeat-threatintel-alienvault-otx.png b/filebeat/docs/images/filebeat-threatintel-alienvault-otx.png new file mode 100644 index 00000000000..d17d6f24b87 Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-alienvault-otx.png differ diff --git a/filebeat/docs/images/filebeat-threatintel-anomali-limo.png b/filebeat/docs/images/filebeat-threatintel-anomali-limo.png new file mode 100644 index 00000000000..3653000bc87 Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-anomali-limo.png differ diff --git a/filebeat/docs/images/filebeat-threatintel-misp.png b/filebeat/docs/images/filebeat-threatintel-misp.png new file mode 100644 index 00000000000..5c456a9f7af Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-misp.png differ diff --git a/filebeat/docs/images/filebeat-threatintel-overview.png b/filebeat/docs/images/filebeat-threatintel-overview.png new file mode 100644 index 00000000000..9dae3a3e435 Binary files /dev/null and b/filebeat/docs/images/filebeat-threatintel-overview.png differ diff --git a/filebeat/docs/modules/threatintel.asciidoc b/filebeat/docs/modules/threatintel.asciidoc index 3f7c3b0d843..588ff726e02 100644 --- a/filebeat/docs/modules/threatintel.asciidoc +++ b/filebeat/docs/modules/threatintel.asciidoc @@ -6,7 +6,7 @@ This file is generated! See scripts/docs_collector.py [role="xpack"] :modulename: threatintel -:has-dashboards: false +:has-dashboards: true == Threat Intel module beta[] @@ -341,6 +341,49 @@ Anomali Threat Intel is mapped to the following ECS fields. `anomali.pattern` is mapped to the appropriate field dependent on attribute type. +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with dashboards for the threat information feeds. + +[role="screenshot"] +image::./images/filebeat-threatintel-overview.png[] + +[float] +Overview of the information provided, and the health of, the Threat Intel module. + +[role="screenshot"] +image::./images/filebeat-threatintel-abuse-malware.png[] + +[float] +Overview of the information provided by the Abuse.ch Malware feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-abuse-url.png[] + +[float] +Overview of the information provided by the Abuse.ch URL feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-alienvault-otx.png[] + +[float] +Overview of the information provided by the AlienVault OTX feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-anomali-limo.png[] + +[float] +Overview of the information provided by the Anomali Limo feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-misp.png[] + +[float] +Overview of the information provided by the MSIP feed. + :modulename!: diff --git a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc index 8233811f0ea..bf278ed270f 100644 --- a/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/threatintel/_meta/docs.asciidoc @@ -1,7 +1,7 @@ [role="xpack"] :modulename: threatintel -:has-dashboards: false +:has-dashboards: true == Threat Intel module beta[] @@ -336,4 +336,47 @@ Anomali Threat Intel is mapped to the following ECS fields. `anomali.pattern` is mapped to the appropriate field dependent on attribute type. +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with dashboards for the threat information feeds. + +[role="screenshot"] +image::./images/filebeat-threatintel-overview.png[] + +[float] +Overview of the information provided, and the health of, the Threat Intel module. + +[role="screenshot"] +image::./images/filebeat-threatintel-abuse-malware.png[] + +[float] +Overview of the information provided by the Abuse.ch Malware feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-abuse-url.png[] + +[float] +Overview of the information provided by the Abuse.ch URL feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-alienvault-otx.png[] + +[float] +Overview of the information provided by the AlienVault OTX feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-anomali-limo.png[] + +[float] +Overview of the information provided by the Anomali Limo feed. + +[role="screenshot"] +image::./images/filebeat-threatintel-misp.png[] + +[float] +Overview of the information provided by the MSIP feed. + :modulename!: diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-abuse-url.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-abuse-url.json new file mode 100644 index 00000000000..2cc53e68cbf --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-abuse-url.json @@ -0,0 +1,2136 @@ +{ + "objects": [ + { + "attributes": { + "description": "Abuse URL indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "166a6654-675d-4802-b1bf-05a9b95e6547", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "166a6654-675d-4802-b1bf-05a9b95e6547", + "panelRefName": "panel_0", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "92819fb6-a0a3-4831-881f-de6e9203f3ee", + "w": 14, + "x": 12, + "y": 0 + }, + "panelIndex": "92819fb6-a0a3-4831-881f-de6e9203f3ee", + "panelRefName": "panel_1", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "0d49c092-01ba-4213-b3f4-05f939796184", + "w": 10, + "x": 26, + "y": 0 + }, + "panelIndex": "0d49c092-01ba-4213-b3f4-05f939796184", + "panelRefName": "panel_2", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "ac111656-d2ad-4b02-8c4f-b07ae92cf3f5", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "ac111656-d2ad-4b02-8c4f-b07ae92cf3f5", + "panelRefName": "panel_3", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 690.5 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "0fbd766f-a11e-4287-ab1d-2239068f4aa9", + "w": 16, + "x": 0, + "y": 18 + }, + "panelIndex": "0fbd766f-a11e-4287-ab1d-2239068f4aa9", + "panelRefName": "panel_4", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 494.5 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "9b7733e0-a86a-4721-a456-2f394577025a", + "w": 12, + "x": 16, + "y": 18 + }, + "panelIndex": "9b7733e0-a86a-4721-a456-2f394577025a", + "panelRefName": "panel_5", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "4bce30b1-9606-4fc7-91af-1890ad0578bd", + "w": 12, + "x": 28, + "y": 18 + }, + "panelIndex": "4bce30b1-9606-4fc7-91af-1890ad0578bd", + "panelRefName": "panel_6", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "2e7f876d-4e18-4dc6-a57f-51c651f90b4c", + "w": 8, + "x": 40, + "y": 18 + }, + "panelIndex": "2e7f876d-4e18-4dc6-a57f-51c651f90b4c", + "panelRefName": "panel_7", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 467.5 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "a824f293-41a3-46bf-83c9-1d17fa840fde", + "w": 13, + "x": 0, + "y": 36 + }, + "panelIndex": "a824f293-41a3-46bf-83c9-1d17fa840fde", + "panelRefName": "panel_8", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "91d7b4bf-4a43-4747-91ad-3e2fd201468e", + "w": 11, + "x": 13, + "y": 36 + }, + "panelIndex": "91d7b4bf-4a43-4747-91ad-3e2fd201468e", + "panelRefName": "panel_9", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "f597f182-0cf4-4fab-b0ab-af4e7c74a897", + "w": 24, + "x": 24, + "y": 36 + }, + "panelIndex": "f597f182-0cf4-4fab-b0ab-af4e7c74a897", + "panelRefName": "panel_10", + "version": "7.11.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] Abuse URL", + "version": 1 + }, + "id": "65fa6bc0-72f0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "87980f70-72ec-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1adff580-72ee-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "44020830-7394-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzUsMl0=" + }, + { + "attributes": { + "description": "Abuse URL threat of indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.threat" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.threat", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Threat [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "Count": "#E24D42" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Abuse URL Threat", + "field": "threatintel.abuseurl.threat", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Abuse URL Threat [Filebeat Threat Intel]", + "type": "horizontal_bar" + } + }, + "id": "87980f70-72ec-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjQsMl0=" + }, + { + "attributes": { + "description": "Tags for Abuse URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.tags" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.tags", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Tags [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Abuse URL Tags", + "field": "threatintel.abuseurl.tags", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL Tags [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "98d42ee0-76b6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjUsMl0=" + }, + { + "attributes": { + "description": "Abuse URL scheme of indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.scheme" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.scheme", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Scheme [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "http": "#65C5DB", + "https": "#F9934E" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "URL Scheme", + "field": "threatintel.indicator.url.scheme", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "threatintel.indicator.url.scheme", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Abuse URL Scheme [Filebeat Threat Intel]", + "type": "histogram" + } + }, + "id": "a7b6e910-72ed-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjYsMl0=" + }, + { + "attributes": { + "description": "Hosting provider notified for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.larted" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.larted", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Hosting Provider Notified [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "false": "#E24D42" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hosting Provider Notified", + "field": "threatintel.abuseurl.larted", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 2 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Abuse URL Hosting Provider Notified [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "eba4ec60-72ea-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjcsMl0=" + }, + { + "attributes": { + "description": "Abuse URL domain indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.domain" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.domain", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Indicator Domain [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Threat Indicator Domain", + "field": "threatintel.indicator.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL Indicator Domain [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "1adff580-72ee-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjgsMl0=" + }, + { + "attributes": { + "description": "Abuse URL full URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.full" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.full", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Indicator URLs [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Threat Indicator URL", + "field": "threatintel.indicator.url.full", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL Indicator URLs [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "62f6daa0-72ee-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjksMl0=" + }, + { + "attributes": { + "description": "Abuse URL provider of indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.threat" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.threat", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Indicator Provider [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "Count": "#705DA0" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.provider", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Abuse URL Indicator Provider [Filebeat Threat Intel]", + "type": "horizontal_bar" + } + }, + "id": "ecf74b10-72ec-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzAsMl0=" + }, + { + "attributes": { + "description": "Total number of Abuse URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Abuse URL Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Abuse URL Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "44020830-7394-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzEsMl0=" + }, + { + "attributes": { + "description": "Abuse URL event references ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.full" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.full", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Event Reference [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Abuse URL Reference URL", + "field": "event.reference", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL Event Reference [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "d5d76c60-72ee-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzIsMl0=" + }, + { + "attributes": { + "description": "Status of URLs ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.url_status" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.url_status", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL URL Status [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "URL Status", + "field": "threatintel.abuseurl.url_status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL URL Status [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "ea5879c0-72eb-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzMsMl0=" + }, + { + "attributes": { + "description": "Blacklist status of URLs ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abuseurl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abuseurl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.blacklists.spamhaus_dbl" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abuseurl.blacklists.surbl" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.abuseurl.blacklists.surbl", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse URL Blacklist Status [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Spamhaus DBL Blacklist Status", + "field": "threatintel.abuseurl.blacklists.spamhaus_dbl", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "SURBL Blacklist Status", + "field": "threatintel.abuseurl.blacklists.surbl", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse URL Blacklist Status [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "a1616dd0-72eb-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzQsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-alienvault-otx.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-alienvault-otx.json new file mode 100644 index 00000000000..5156709b9d4 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-alienvault-otx.json @@ -0,0 +1,1877 @@ +{ + "objects": [ + { + "attributes": { + "description": "AlienVault OTX indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "7847e7a5-06a5-43e7-bd6b-ccae637739e5", + "w": 17, + "x": 0, + "y": 0 + }, + "panelIndex": "7847e7a5-06a5-43e7-bd6b-ccae637739e5", + "panelRefName": "panel_0", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "dc17e932-e983-4deb-95dc-07d571bf9e28", + "w": 7, + "x": 17, + "y": 0 + }, + "panelIndex": "dc17e932-e983-4deb-95dc-07d571bf9e28", + "panelRefName": "panel_1", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "6d448f2b-f2b7-4e18-a9ef-77c06ab755ac", + "w": 15, + "x": 24, + "y": 0 + }, + "panelIndex": "6d448f2b-f2b7-4e18-a9ef-77c06ab755ac", + "panelRefName": "panel_2", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "a946ed22-37d4-4c8d-8250-fc00f2ad646b", + "w": 9, + "x": 39, + "y": 0 + }, + "panelIndex": "a946ed22-37d4-4c8d-8250-fc00f2ad646b", + "panelRefName": "panel_3", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 286 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "e4c2fa0c-b238-4502-82b8-b61847d19b18", + "w": 9, + "x": 0, + "y": 18 + }, + "panelIndex": "e4c2fa0c-b238-4502-82b8-b61847d19b18", + "panelRefName": "panel_4", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "ed1ab436-d7cc-4545-bbc6-a3aa4d45108b", + "w": 17, + "x": 9, + "y": 18 + }, + "panelIndex": "ed1ab436-d7cc-4545-bbc6-a3aa4d45108b", + "panelRefName": "panel_5", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "ac6508e3-214a-4af9-8621-f9bd9cd9fe36", + "w": 10, + "x": 26, + "y": 18 + }, + "panelIndex": "ac6508e3-214a-4af9-8621-f9bd9cd9fe36", + "panelRefName": "panel_6", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "d5dbe626-716b-4dc2-9018-21050ee860ad", + "w": 12, + "x": 36, + "y": 18 + }, + "panelIndex": "d5dbe626-716b-4dc2-9018-21050ee860ad", + "panelRefName": "panel_7", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "fb89a073-18ce-41a0-87ec-a66bb35216e5", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "fb89a073-18ce-41a0-87ec-a66bb35216e5", + "panelRefName": "panel_8", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 303 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "a2a17e0d-2de0-45cc-8440-d00a7044aaab", + "w": 9, + "x": 24, + "y": 36 + }, + "panelIndex": "a2a17e0d-2de0-45cc-8440-d00a7044aaab", + "panelRefName": "panel_9", + "version": "7.11.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 598 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "291a8404-8e31-45f4-9117-4ea5bf996e78", + "w": 15, + "x": 33, + "y": 36 + }, + "panelIndex": "291a8404-8e31-45f4-9117-4ea5bf996e78", + "panelRefName": "panel_10", + "version": "7.11.1" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] AlienVault OTX", + "version": 1 + }, + "id": "53e4e630-76cf-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "95f384b0-76d8-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "b5bd3a70-76ce-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "f33125b0-76d8-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "49f0c060-76cd-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "346136f0-76d5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "9109e490-76cd-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "6077fd00-76d5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODcsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX URL scheme ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX URL Scheme [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "http": "#65C5DB", + "https": "#F9934E" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "field": "threatintel.indicator.url.scheme", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": true + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "AlientVault OTX URL Scheme [Filebeat Threat Intel]", + "type": "horizontal_bar" + } + }, + "id": "95f384b0-76d8-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzYsMl0=" + }, + { + "attributes": { + "description": "Total number of AlienVault OTX indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlienVault OTX Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "AlienVault OTX Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "AlienVault OTX Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "b5bd3a70-76ce-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzcsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX indicator types ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX Indicator Types [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "AlientVault OTX Indicator Types [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "f33125b0-76d8-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzgsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX IP indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.ip" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.ip", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX IP Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX IP Indicator", + "field": "threatintel.indicator.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlientVault OTX IP Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "302cd5b0-76cd-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNzksMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX domain indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.domain" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.domain", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX Domain Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX IP Indicator", + "field": "threatintel.indicator.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlientVault OTX Domain Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "49f0c060-76cd-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODAsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.original" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.original", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlienVault OTX URL Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX URL Indicator", + "field": "threatintel.indicator.url.original", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlienVault OTX URL Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "346136f0-76d5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODEsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX URL domain indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.domain" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.domain", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlienVault OTX URL Domain Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX URL Domain Indicator", + "field": "threatintel.indicator.url.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlienVault OTX URL Domain Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "9109e490-76cd-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODIsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX URI indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.path" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.path", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlienVault OTX URI Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX URI Indicator", + "field": "threatintel.indicator.url.path", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlienVault OTX URI Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "6077fd00-76d5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODMsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX SHA256 hash indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha256" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha256", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX SHA256 Hash Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX SHA256 Hash Indicator", + "field": "threatintel.indicator.file.hash.sha256", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlientVault OTX SHA256 Hash Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "4e5d25c0-76ce-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODQsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX MD5 hash indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.md5" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.md5", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlientVault OTX MD5 Hash Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX MD5 Hash Indicator", + "field": "threatintel.indicator.file.hash.md5", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlientVault OTX MD5 Hash Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "0ccdda50-76ce-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODUsMl0=" + }, + { + "attributes": { + "description": "AlienVault OTX indicator title ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.otx" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.otx" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.otx.title" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.otx.title", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "AlienVault OTX Indicator Title [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "AlienVault OTX Indicator Title", + "field": "threatintel.otx.title", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "AlienVault OTX Indicator Title [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "01c261b0-7aa9-11eb-ac13-d5ca87cb8fa2", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyODYsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-anomali.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-anomali.json new file mode 100644 index 00000000000..bf9a25614dd --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-anomali.json @@ -0,0 +1,1641 @@ +{ + "objects": [ + { + "attributes": { + "description": "Anomali indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "96feacb2-faa8-4154-ab78-71acfa3a0200", + "w": 18, + "x": 0, + "y": 0 + }, + "panelIndex": "96feacb2-faa8-4154-ab78-71acfa3a0200", + "panelRefName": "panel_0", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "47fb30af-2e3a-4853-923e-401be3bcffd7", + "w": 11, + "x": 18, + "y": 0 + }, + "panelIndex": "47fb30af-2e3a-4853-923e-401be3bcffd7", + "panelRefName": "panel_1", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "bcbc15d0-35c0-461d-b6f1-2a09b2e27e2a", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "bcbc15d0-35c0-461d-b6f1-2a09b2e27e2a", + "panelRefName": "panel_2", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "b3f8480e-2875-46d4-acd2-b2a910a704af", + "w": 14, + "x": 34, + "y": 18 + }, + "panelIndex": "b3f8480e-2875-46d4-acd2-b2a910a704af", + "panelRefName": "panel_3", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 173.36285400390625 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "b334f158-4fc5-4712-a5aa-f172dd743ba7", + "w": 9, + "x": 0, + "y": 18 + }, + "panelIndex": "b334f158-4fc5-4712-a5aa-f172dd743ba7", + "panelRefName": "panel_4", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "table": null, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 346.36285400390625 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "4125f3ee-6b0e-4198-a847-8a1113dfbc4a", + "w": 13, + "x": 9, + "y": 18 + }, + "panelIndex": "4125f3ee-6b0e-4198-a847-8a1113dfbc4a", + "panelRefName": "panel_5", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 296.36285400390625 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "8f556ccd-ef24-4bfd-a344-3da3920eda9e", + "w": 12, + "x": 22, + "y": 18 + }, + "panelIndex": "8f556ccd-ef24-4bfd-a344-3da3920eda9e", + "panelRefName": "panel_6", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 390.36285400390625 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "514b0734-f5bf-411c-b674-ad4fddfc1f25", + "w": 15, + "x": 0, + "y": 36 + }, + "panelIndex": "514b0734-f5bf-411c-b674-ad4fddfc1f25", + "panelRefName": "panel_7", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 1008.3628540039062 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "6f8a890f-3d0f-43c5-a25b-bafc3fe75edd", + "w": 33, + "x": 15, + "y": 36 + }, + "panelIndex": "6f8a890f-3d0f-43c5-a25b-bafc3fe75edd", + "panelRefName": "panel_8", + "version": "7.11.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] Anomali", + "version": 1 + }, + "id": "68c48a30-739e-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "55b5c280-76b7-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "28aca810-7394-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "09aaef80-7399-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "0e4aa470-739b-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1a6a6430-739a-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "4360fe80-739a-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "5b7f0160-739a-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "a14694c0-7399-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "6ed5ada0-7399-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTEsMl0=" + }, + { + "attributes": { + "description": "MISP tags for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "tags" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "tags", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Tags [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP Tags", + "field": "tags", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP Tags [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "55b5c280-76b7-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDIsMl0=" + }, + { + "attributes": { + "description": "Total number of Anomali indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Anomali Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Anomali Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "28aca810-7394-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDMsMl0=" + }, + { + "attributes": { + "description": "Types of Anomali indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Indicator Type [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Anomali Indicator Type [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "09aaef80-7399-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDQsMl0=" + }, + { + "attributes": { + "description": "Anomali email indicator ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.email.address" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.email.address", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Email Indicator [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali Email Indicator", + "field": "threatintel.indicator.email.address", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali Email Indicator [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "0e4aa470-739b-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDUsMl0=" + }, + { + "attributes": { + "description": "Anomali IP indicator ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.ip" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.ip", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali IP Indicator [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali IP Indicator", + "field": "threatintel.indicator.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali IP Indicator [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "1a6a6430-739a-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDYsMl0=" + }, + { + "attributes": { + "description": "Anomali URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.full" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.full", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali URL Indicators [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali URL Indicator", + "field": "threatintel.indicator.url.full", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali URL Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "4360fe80-739a-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDcsMl0=" + }, + { + "attributes": { + "description": "Anomali domain indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.domain" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.domain", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Domain Indicators [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali Domain Indicator", + "field": "threatintel.indicator.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali Domain Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "5b7f0160-739a-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDgsMl0=" + }, + { + "attributes": { + "description": "Anomali indicator name ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.anomali.name" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.anomali.name", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Indicator Name [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali Indicator Name", + "field": "threatintel.anomali.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali Indicator Name [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "a14694c0-7399-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDksMl0=" + }, + { + "attributes": { + "description": "Anomali indicator descriptions ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.anomali" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.anomali" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.anomali.description" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.anomali.description", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Anomali Indicator Description [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 753.3628540039062 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Anomali Indicator Description", + "field": "threatintel.anomali.description", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Anomali Indicator Description [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "6ed5ada0-7399-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTAsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-aubse-malware.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-aubse-malware.json new file mode 100644 index 00000000000..067828449cb --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-aubse-malware.json @@ -0,0 +1,1781 @@ +{ + "objects": [ + { + "attributes": { + "description": "Abuse Malware indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 654.3333333333333 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "80e2f028-a447-4fa4-9161-052717ca9021", + "w": 17, + "x": 0, + "y": 0 + }, + "panelIndex": "80e2f028-a447-4fa4-9161-052717ca9021", + "panelRefName": "panel_0", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "7483e258-c1e3-4fc8-9e8d-7e2abb400cda", + "w": 10, + "x": 17, + "y": 0 + }, + "panelIndex": "7483e258-c1e3-4fc8-9e8d-7e2abb400cda", + "panelRefName": "panel_1", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "5b627f39-1ddb-499f-b9b6-87297576e3dd", + "w": 8, + "x": 27, + "y": 0 + }, + "panelIndex": "5b627f39-1ddb-499f-b9b6-87297576e3dd", + "panelRefName": "panel_2", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 422.33333333333337 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "e7f02b6f-7a4c-417d-904a-582fa4f7f4b0", + "w": 13, + "x": 35, + "y": 0 + }, + "panelIndex": "e7f02b6f-7a4c-417d-904a-582fa4f7f4b0", + "panelRefName": "panel_3", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 584.3333333333333 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "8459964a-6437-490f-a8f3-54f68ca4c9ef", + "w": 16, + "x": 0, + "y": 18 + }, + "panelIndex": "8459964a-6437-490f-a8f3-54f68ca4c9ef", + "panelRefName": "panel_4", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "705312de-dfcc-4f8f-8371-78c3b0fbb968", + "w": 13, + "x": 16, + "y": 18 + }, + "panelIndex": "705312de-dfcc-4f8f-8371-78c3b0fbb968", + "panelRefName": "panel_5", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "table": null, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 755.6666666666667 + }, + { + "colIndex": 1, + "width": 96 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "d3b6eec0-1b14-43f7-be9b-05314ee54c07", + "w": 19, + "x": 29, + "y": 18 + }, + "panelIndex": "d3b6eec0-1b14-43f7-be9b-05314ee54c07", + "panelRefName": "panel_6", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 896.5 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "6d6ea6b0-21a5-4af4-bbea-4f85fc54eaf5", + "w": 23, + "x": 0, + "y": 36 + }, + "panelIndex": "6d6ea6b0-21a5-4af4-bbea-4f85fc54eaf5", + "panelRefName": "panel_7", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "040ae85b-1abc-439e-a1b9-7bc3ddca1059", + "w": 25, + "x": 23, + "y": 36 + }, + "panelIndex": "040ae85b-1abc-439e-a1b9-7bc3ddca1059", + "panelRefName": "panel_8", + "version": "7.11.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] Abuse Malware", + "version": 1 + }, + "id": "5ba16340-72e6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "79da77d0-72e5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "lens" + }, + { + "id": "5f955bb0-7394-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "b9533f50-72e5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "41100be0-72e5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "c369c190-72e4-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjksMl0=" + }, + { + "attributes": { + "description": "Abuse malware TLSH hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.tlsh" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.tlsh", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware TLSH Hashes [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "TLSH Hash", + "field": "threatintel.indicator.file.hash.tlsh", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "File Type", + "field": "threatintel.indicator.file.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware TLSH Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "79da77d0-72e5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjAsMl0=" + }, + { + "attributes": { + "description": "Abuse malware signatures ingested by the threat intel Filebeat module.", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "dff48ab9-4cc8-4744-afe5-ee36a0a2065d": { + "columnOrder": [ + "959db113-1ce6-46fc-97c3-dbf5fd5abb9a", + "de396547-655b-4db2-8a21-e9850acff0b0" + ], + "columns": { + "959db113-1ce6-46fc-97c3-dbf5fd5abb9a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threatintel.abusemalware.signature", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "de396547-655b-4db2-8a21-e9850acff0b0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threatintel.abusemalware.signature" + }, + "de396547-655b-4db2-8a21-e9850acff0b0": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abusemalware.signature" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-2", + "key": "threatintel.abusemalware.signature", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "959db113-1ce6-46fc-97c3-dbf5fd5abb9a" + ], + "layerId": "dff48ab9-4cc8-4744-afe5-ee36a0a2065d", + "legendDisplay": "default", + "metric": "de396547-655b-4db2-8a21-e9850acff0b0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "Abuse Malware Signature [Filebeat Threat Intel]", + "visualizationType": "lnsPie" + }, + "id": "0db62ee0-72e6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-dff48ab9-4cc8-4744-afe5-ee36a0a2065d", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-2", + "type": "index-pattern" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "lens", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjEsMl0=" + }, + { + "attributes": { + "description": "Total number of Abuse Malware indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Abuse Malware Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Abuse Malware Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "5f955bb0-7394-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjIsMl0=" + }, + { + "attributes": { + "description": "Abuse malware import table hash by file type ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.pe.imphash" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.pe.imphash", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware Import Table Hash [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Imphash Hash", + "field": "threatintel.indicator.file.pe.imphash", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "File Type", + "field": "threatintel.indicator.file.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware Import Table Hash [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "b9533f50-72e5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjMsMl0=" + }, + { + "attributes": { + "description": "Abuse malware SHA256 hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha256" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha256", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware SHA256 Hashes [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "SHA256 Hash", + "field": "threatintel.indicator.file.hash.sha256", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "File Type", + "field": "threatintel.indicator.file.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware SHA256 Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "1a0d5250-72e5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjQsMl0=" + }, + { + "attributes": { + "description": "Abuse malware file types ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware File Types [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.file.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Abuse Malware File Types [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "40d61ab0-72e6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjUsMl0=" + }, + { + "attributes": { + "description": "Abuse malware ssdeep hashes ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.ssdeep" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.ssdeep", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware ssdeep Hashes [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "ssdeep Hash", + "field": "threatintel.indicator.file.hash.ssdeep", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "File Type", + "field": "threatintel.indicator.file.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware ssdeep Hashes [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "41100be0-72e5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjYsMl0=" + }, + { + "attributes": { + "description": "Abuse malware event references ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.reference" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.reference", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware Event Reference [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Abuse Malware Reference URL", + "field": "event.reference", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware Event Reference [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "c369c190-72e4-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjcsMl0=" + }, + { + "attributes": { + "description": "Abuse malware VirusTotal references ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.abusemalware" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.abusemalware" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abusemalware.virustotal.link" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.abusemalware.virustotal.link", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.abusemalware.virustotal.result" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threatintel.abusemalware.virustotal.result", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Abuse Malware VirusTotal References [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 937.6666666666665 + } + ] + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "VirusTotal URL", + "field": "threatintel.abusemalware.virustotal.link", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "VirusTotal Result", + "field": "threatintel.abusemalware.virustotal.result", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "Abuse Malware VirusTotal References [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "f9c6ba80-72e5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMjgsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-misp.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-misp.json new file mode 100644 index 00000000000..8cf715e18e6 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-misp.json @@ -0,0 +1,2099 @@ +{ + "objects": [ + { + "attributes": { + "description": "MSIP indicators ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 589 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "dddbb2ed-b025-4bc3-b3a1-16f834da532b", + "w": 15, + "x": 0, + "y": 0 + }, + "panelIndex": "dddbb2ed-b025-4bc3-b3a1-16f834da532b", + "panelRefName": "panel_0", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 370 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "bb692014-ed24-441d-a717-d40025f46602", + "w": 10, + "x": 15, + "y": 0 + }, + "panelIndex": "bb692014-ed24-441d-a717-d40025f46602", + "panelRefName": "panel_1", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "fcc0d72f-70ee-4fac-b859-77326444f472", + "w": 14, + "x": 25, + "y": 0 + }, + "panelIndex": "fcc0d72f-70ee-4fac-b859-77326444f472", + "panelRefName": "panel_2", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "a3b70237-fbd4-43c6-96b6-ffb3c9266b55", + "w": 9, + "x": 39, + "y": 0 + }, + "panelIndex": "a3b70237-fbd4-43c6-96b6-ffb3c9266b55", + "panelRefName": "panel_3", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "table": null, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 814 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "c34da3b4-e3d8-4ade-85f2-1f2195aa9cdc", + "w": 19, + "x": 0, + "y": 18 + }, + "panelIndex": "c34da3b4-e3d8-4ade-85f2-1f2195aa9cdc", + "panelRefName": "panel_4", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 451 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "c23a8d34-62e3-42f2-912b-120251392d03", + "w": 12, + "x": 19, + "y": 18 + }, + "panelIndex": "c23a8d34-62e3-42f2-912b-120251392d03", + "panelRefName": "panel_5", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "a9e87eb5-f981-472c-9fb1-00f956c7ca1e", + "w": 9, + "x": 31, + "y": 18 + }, + "panelIndex": "a9e87eb5-f981-472c-9fb1-00f956c7ca1e", + "panelRefName": "panel_6", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "a47d65d3-01ef-4488-9c0d-2fbd23b923ad", + "w": 8, + "x": 40, + "y": 18 + }, + "panelIndex": "a47d65d3-01ef-4488-9c0d-2fbd23b923ad", + "panelRefName": "panel_7", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 324 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "c4010d5b-9082-453d-90a1-a4bc629f62a7", + "w": 10, + "x": 0, + "y": 36 + }, + "panelIndex": "c4010d5b-9082-453d-90a1-a4bc629f62a7", + "panelRefName": "panel_8", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 371 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "e59a30c1-97bb-4f16-81ba-9a9dc705fed6", + "w": 12, + "x": 10, + "y": 36 + }, + "panelIndex": "e59a30c1-97bb-4f16-81ba-9a9dc705fed6", + "panelRefName": "panel_9", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "vis": { + "params": { + "colWidth": [ + { + "colIndex": 0, + "width": 600.5 + } + ] + } + } + }, + "gridData": { + "h": 18, + "i": "1309e7f5-8554-4265-a8c4-9f8f00db8299", + "w": 14, + "x": 22, + "y": 36 + }, + "panelIndex": "1309e7f5-8554-4265-a8c4-9f8f00db8299", + "panelRefName": "panel_10", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "42cec04d-ab8e-4aa2-a78b-7c6a6d8b8798", + "w": 12, + "x": 36, + "y": 36 + }, + "panelIndex": "42cec04d-ab8e-4aa2-a78b-7c6a6d8b8798", + "panelRefName": "panel_11", + "version": "7.11.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] MISP", + "version": 1 + }, + "id": "47e6fdc0-76b9-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "7582b030-73c6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "a09329d0-73c6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "418e5a30-73c2-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "55b5c280-76b7-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "02294f80-73c7-11eb-a3e3-b3cc7c78a70f", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "1c969990-73c7-11eb-a3e3-b3cc7c78a70f", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "57faae10-73c5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjMsMl0=" + }, + { + "attributes": { + "description": "MISP domain indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.domain" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.domain", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Domain Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP Domain Indicator", + "field": "threatintel.indicator.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP Domain Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "7582b030-73c6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTIsMl0=" + }, + { + "attributes": { + "description": "MISP IP indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.ip" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.ip", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP IP Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP IP Indicator", + "field": "threatintel.indicator.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP IP Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "a09329d0-73c6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTMsMl0=" + }, + { + "attributes": { + "description": "Types of MISP indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Indicator Type [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "MISP Indicator Type [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "7c7d3750-73c3-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTQsMl0=" + }, + { + "attributes": { + "description": "Total number of Abuse URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "MISP Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "MISP Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "418e5a30-73c2-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTUsMl0=" + }, + { + "attributes": { + "description": "MISP URL indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.url.full" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.url.full", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP URL Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP URL Indicator", + "field": "threatintel.indicator.url.full", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP URL Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "c102b0f0-73c6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTYsMl0=" + }, + { + "attributes": { + "description": "MISP tags for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "tags" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "tags", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Tags [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP Tags", + "field": "tags", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP Tags [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "55b5c280-76b7-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDIsMl0=" + }, + { + "attributes": { + "description": "TLP of MISP indicators ingested by the threat intel Filebeat module. Top 10 datasets.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Indicator TLP [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "green": "#7EB26D", + "white": "#E0F9D7" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Indicator Marking TLP", + "field": "threatintel.indicator.marking.tlp", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "threatintel.indicator.marking.tlp", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "MISP Indicator TLP [Filebeat Threat Intel]", + "type": "histogram" + } + }, + "id": "ad55b1e0-73c8-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTcsMl0=" + }, + { + "attributes": { + "description": "MISP indicator ingested by the threat intel Filebeat module has been published.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.misp.published" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.misp.published", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Indicator Published [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "true": "#7EB26D" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.misp.published", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 3 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "MISP Indicator Published [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "bf3dfde0-73c3-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTgsMl0=" + }, + { + "attributes": { + "description": "MISP MD5 hash indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.md5" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.md5", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP MD5 Hash Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP MD5 Hash Indicator", + "field": "threatintel.indicator.file.hash.md5", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP MD5 Hash Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "ec68c4a0-73c6-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNTksMl0=" + }, + { + "attributes": { + "description": "MISP SHA1 hash indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha1" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha1", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP SHA1 Hash Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP SHA1 Hash Indicator", + "field": "threatintel.indicator.file.hash.sha1", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP SHA1 Hash Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "02294f80-73c7-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjAsMl0=" + }, + { + "attributes": { + "description": "MISP SHA256 hash indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.file.hash.sha256" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.file.hash.sha256", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP SHA256 Hash Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "MISP SHA256 Hash Indicator", + "field": "threatintel.indicator.file.hash.sha256", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showToolbar": false, + "showTotal": false, + "totalFunc": "sum" + }, + "title": "MISP SHA256 Hash Indicators [Filebeat Threat Intel]", + "type": "table" + } + }, + "id": "1c969990-73c7-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjEsMl0=" + }, + { + "attributes": { + "description": "MISP provider for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "threatintel.misp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "threatintel.misp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.provider" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.provider", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "MISP Indicator Provider [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "misp": "#5195CE" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "threatintel.indicator.provider", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "MISP Indicator Provider [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "57faae10-73c5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNjIsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-overview.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-overview.json new file mode 100644 index 00000000000..5bd0f1ef5a2 --- /dev/null +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/dashboard/Filebeat-threatintel-overview.json @@ -0,0 +1,1953 @@ +{ + "objects": [ + { + "attributes": { + "description": "Top-level metrics of indicators and datasets ingested by the threat intel Filebeat module.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 7, + "i": "0a8c6e54-3d3a-4e88-a230-75d7a3856154", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "0a8c6e54-3d3a-4e88-a230-75d7a3856154", + "panelRefName": "panel_0", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8c2caa0d-fedc-406b-a4cc-87c09ba9e929", + "w": 8, + "x": 40, + "y": 7 + }, + "panelIndex": "8c2caa0d-fedc-406b-a4cc-87c09ba9e929", + "panelRefName": "panel_1", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "81f493cc-5459-4baf-b57a-295f290debf3", + "w": 8, + "x": 0, + "y": 7 + }, + "panelIndex": "81f493cc-5459-4baf-b57a-295f290debf3", + "panelRefName": "panel_2", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c5d9284a-f44c-4cee-b9fd-9585dcaadc89", + "w": 15, + "x": 8, + "y": 7 + }, + "panelIndex": "c5d9284a-f44c-4cee-b9fd-9585dcaadc89", + "panelRefName": "panel_3", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "cecb5fce-b1c6-4121-a943-73c163554fff", + "w": 17, + "x": 23, + "y": 7 + }, + "panelIndex": "cecb5fce-b1c6-4121-a943-73c163554fff", + "panelRefName": "panel_4", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8788d810-774f-4190-bc01-16fb04c0b38c", + "w": 19, + "x": 0, + "y": 22 + }, + "panelIndex": "8788d810-774f-4190-bc01-16fb04c0b38c", + "panelRefName": "panel_5", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "51db6286-e72d-4a6c-99f5-363f17bb333a", + "w": 10, + "x": 19, + "y": 22 + }, + "panelIndex": "51db6286-e72d-4a6c-99f5-363f17bb333a", + "panelRefName": "panel_6", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4dbff662-ebdd-4b6d-910b-1b80bd4e9045", + "w": 19, + "x": 29, + "y": 22 + }, + "panelIndex": "4dbff662-ebdd-4b6d-910b-1b80bd4e9045", + "panelRefName": "panel_7", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f7fb86cb-c07f-4489-afaa-942bcacfedda", + "w": 19, + "x": 0, + "y": 37 + }, + "panelIndex": "f7fb86cb-c07f-4489-afaa-942bcacfedda", + "panelRefName": "panel_8", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e640ab8b-1aa8-4a33-9df9-bbb6cc1fe264", + "w": 10, + "x": 19, + "y": 37 + }, + "panelIndex": "e640ab8b-1aa8-4a33-9df9-bbb6cc1fe264", + "panelRefName": "panel_9", + "version": "7.11.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ca86a2c7-7b2e-4c16-bbba-02e5a09aa7ce", + "w": 19, + "x": 29, + "y": 37 + }, + "panelIndex": "ca86a2c7-7b2e-4c16-bbba-02e5a09aa7ce", + "panelRefName": "panel_10", + "version": "7.11.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Threat Intel] Overview", + "version": 1 + }, + "id": "ad9c7430-72de-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "92961600-7621-11eb-a3e3-b3cc7c78a70f", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "c049e1c0-72d5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "6ce04320-72d1-11eb-a3e3-b3cc7c78a70f", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "81f16940-72d3-11eb-a3e3-b3cc7c78a70f", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "9282afc0-72d9-11eb-a3e3-b3cc7c78a70f", + "name": "panel_5", + "type": "lens" + }, + { + "id": "f9f89660-72d9-11eb-a3e3-b3cc7c78a70f", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "9047e8b0-72de-11eb-a3e3-b3cc7c78a70f", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "b9aa1d70-72db-11eb-a3e3-b3cc7c78a70f", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "aebde030-72d2-11eb-a3e3-b3cc7c78a70f", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDEsMl0=" + }, + { + "attributes": { + "description": "Feed and provider selector for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Feed and Indicator Selector [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "event.dataset", + "id": "1614117070660", + "indexPatternRefName": "control_0_index_pattern", + "label": "Feed Name", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "threatintel.indicator.provider", + "id": "1614117093181", + "indexPatternRefName": "control_1_index_pattern", + "label": "Indicator Provider", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "threatintel.indicator.type", + "id": "1614117117360", + "indexPatternRefName": "control_2_index_pattern", + "label": "Indicator Type", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "Feed and Indicator Selector [Filebeat Threat Intel]", + "type": "input_control_vis" + } + }, + "id": "92961600-7621-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzAsMl0=" + }, + { + "attributes": { + "description": "Total number of datasets reflected by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.dataset" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Total Datasets [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Datasets", + "field": "event.dataset" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Total Datasets [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "c049e1c0-72d5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzEsMl0=" + }, + { + "attributes": { + "description": "Total number of indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.dataset" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Total Indicators [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Indicators" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Total Indicators [Filebeat Threat Intel]", + "type": "metric" + } + }, + "id": "6ce04320-72d1-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzIsMl0=" + }, + { + "attributes": { + "description": "Total number of indicators by dataset ingested by the threat intel Filebeat module. Top 10 datasets.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.dataset" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Total Indicators per Dataset [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.dataset", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Total Indicators per Dataset [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "81f16940-72d3-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzMsMl0=" + }, + { + "attributes": { + "description": "Types of indicators by dataset ingested by the threat intel Filebeat module. Top 10 datasets and top 10 indicator types.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.dataset" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Indicator Type per Dataset [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.dataset", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "threatintel.indicator.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Indicator Type per Dataset [Filebeat Threat Intel]", + "type": "pie" + } + }, + "id": "1a1c60c0-72d5-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzQsMl0=" + }, + { + "attributes": { + "description": "Total number of indicators by type ingested by the threat intel Filebeat module. Top 10 types.", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9e3d1f18-6e1e-4e13-8b0b-9b17d12a15f2": { + "columnOrder": [ + "a6319ec8-2ec8-4d3a-bc54-efe0a306786f", + "1e5c28a2-6405-44ee-bdf1-8bdd03bdf919" + ], + "columns": { + "1e5c28a2-6405-44ee-bdf1-8bdd03bdf919": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "a6319ec8-2ec8-4d3a-bc54-efe0a306786f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threatintel.indicator.type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1e5c28a2-6405-44ee-bdf1-8bdd03bdf919", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threatintel.indicator.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "a6319ec8-2ec8-4d3a-bc54-efe0a306786f" + ], + "layerId": "9e3d1f18-6e1e-4e13-8b0b-9b17d12a15f2", + "legendDisplay": "show", + "metric": "1e5c28a2-6405-44ee-bdf1-8bdd03bdf919", + "nestedLegend": false, + "numberDisplay": "value", + "percentDecimals": 2 + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "shape": "treemap" + } + }, + "title": "Total Indicators per Type [Filebeat Threat Intel]", + "visualizationType": "lnsPie" + }, + "id": "9282afc0-72d9-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-9e3d1f18-6e1e-4e13-8b0b-9b17d12a15f2", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-ref-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "lens", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzUsMl0=" + }, + { + "attributes": { + "description": "Tags for indicators ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Indicator Tag Cloud [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "exclude": "forwarded|threatintel-anomali|threatintel-otx|threatintel-abuseurls|threatintel-abusemalware", + "field": "tags", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 30, + "minFontSize": 5, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Indicator Tag Cloud [Filebeat Threat Intel]", + "type": "tagcloud" + } + }, + "id": "f9f89660-72d9-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzYsMl0=" + }, + { + "attributes": { + "description": "Total number of indicators by provider ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Total Indicators per Provider [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "Count": "#806EB7" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Threat Indicator Provider", + "field": "threatintel.indicator.provider", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "valueAxis": "ValueAxis-1" + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Total Indicators per Provider [Filebeat Threat Intel]", + "type": "horizontal_bar" + } + }, + "id": "9047e8b0-72de-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzcsMl0=" + }, + { + "attributes": { + "description": "Timeline of indicators by dataset ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "event.dataset" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Indicator Ingest Timeline per Dataset [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Indicators per Dataset" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Ingest Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-90d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "event.dataset", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Indicators per Dataset" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Indicators per Dataset" + }, + "type": "value" + } + ] + }, + "title": "Indicator Ingest Timeline per Dataset [Filebeat Threat Intel]", + "type": "area" + } + }, + "id": "b9aa1d70-72db-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzgsMl0=" + }, + { + "attributes": { + "description": "TLP of indicators ingested by the threat intel Filebeat module. Top 10 datasets.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.marking.tlp" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "threatintel.indicator.marking.tlp", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Indicator TLP [Filebeat Threat Intel]", + "uiStateJSON": { + "vis": { + "colors": { + "green": "#7EB26D", + "white": "#E0F9D7" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Indicator Marking TLP", + "field": "threatintel.indicator.marking.tlp", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "threatintel.indicator.marking.tlp", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": { + "show": true + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Indicator TLP [Filebeat Threat Intel]", + "type": "histogram" + } + }, + "id": "aebde030-72d2-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMzksMl0=" + }, + { + "attributes": { + "description": "Timeline of indicators by type ingested by the threat intel Filebeat module.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "threatintel.indicator.type" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "threatintel.indicator.type", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Indicator Ingest Timeline per Type [Filebeat Threat Intel]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Count of Indicator by Type" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Ingest Timestamp", + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-90d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "threatintel.indicator.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false + }, + "labels": {}, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count of Indicator by Type" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "area", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "area", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count of Indicator by Type" + }, + "type": "value" + } + ] + }, + "title": "Indicator Ingest Timeline per Type [Filebeat Threat Intel]", + "type": "area" + } + }, + "id": "c813c5d0-72dd-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "visualization": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "name": "search_0", + "type": "search" + }, + { + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "name": "tag-d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "type": "tag" + } + ], + "type": "visualization", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyNDAsMl0=" + }, + { + "attributes": { + "color": "#a548ae", + "description": "Tag for indicators ingested by the Threat Intel Filebeat module.", + "name": "threat intel" + }, + "id": "d6ef8f20-70a9-11eb-a3e3-b3cc7c78a70f", + "namespaces": [ + "default" + ], + "references": [], + "type": "tag", + "updated_at": "2021-03-10T19:01:18.125Z", + "version": "WzIyMTcsMl0=" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "threatintel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "threatintel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "All Logs [Filebeat Threat Intel] ECS", + "version": 1 + }, + "id": "6acbb070-72d0-11eb-a3e3-b3cc7c78a70f", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-03-10T19:01:19.048Z", + "version": "WzIyMTksMl0=" + } + ], + "version": "7.11.1" +} \ No newline at end of file