diff --git a/auditbeat/Makefile b/auditbeat/Makefile index d3e3e95c63a1..14c1b774f7b1 100644 --- a/auditbeat/Makefile +++ b/auditbeat/Makefile @@ -82,4 +82,5 @@ kibana: @-rm -rf _meta/kibana @mkdir -p _meta/kibana @-cp -pr module/*/_meta/kibana _meta/ - + @# Convert all dashboards to string + @python ${ES_BEATS}/libbeat/scripts/unpack_dashboards.py --glob="./_meta/kibana/6/dashboard/*.json" diff --git a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json index 1b0f82ea59b4..9cb989fb0cea 100644 --- a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json +++ b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-executions.json @@ -1,99 +1,336 @@ { - "objects": [ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", - "title": "Error Codes [Auditbeat Auditd Executions]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Error Codes [Auditbeat Auditd Executions]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.exit\",\n \"exclude\": \"0\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}" - }, - "id": "20a8e8d0-c1c8-11e7-8995-936807a28b16", - "type": "visualization", - "updated_at": "2018-01-16T22:10:23.921Z", - "version": 4 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "title": "Primary Username Tag Cloud [Auditbeat Auditd]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Primary Username Tag Cloud [Auditbeat Auditd]\",\n \"type\": \"tagcloud\",\n \"params\": {\n \"scale\": \"linear\",\n \"orientation\": \"single\",\n \"minFontSize\": 18,\n \"maxFontSize\": 45\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.summary.actor.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ]\n}" - }, - "id": "f81a6de0-c1c1-11e7-8995-936807a28b16", - "type": "visualization", - "updated_at": "2018-01-16T22:12:18.730Z", - "version": 3 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" - }, - "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", - "title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"title\":\"Exe Name Tag Cloud [Auditbeat Auditd Executions]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}" - }, - "id": "2efac370-c1ca-11e7-8995-936807a28b16", - "type": "visualization", - "updated_at": "2018-01-16T22:57:41.411Z", - "version": 4 - }, - { - "attributes": { - "columns": [ - "beat.hostname", - "process.args", - "auditd.summary.actor.primary", - "auditd.summary.actor.secondary", - "process.exe" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"event.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "Process Executions [Auditbeat Auditd]", - "version": 1 - }, - "id": "d382f5b0-c1c6-11e7-8995-936807a28b16", - "type": "search", - "updated_at": "2018-01-16T22:26:35.050Z", - "version": 5 - }, - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":3,\"i\":\"1\",\"w\":4,\"x\":4,\"y\":0},\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"3\",\"w\":4,\"x\":8,\"y\":0},\"id\":\"f81a6de0-c1c1-11e7-8995-936807a28b16\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"5\",\"w\":4,\"x\":0,\"y\":0},\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":12,\"x\":0,\"y\":3},\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"panelIndex\":\"6\",\"type\":\"search\",\"version\":\"6.2.4\"}]", - "timeRestore": false, - "title": "[Auditbeat Auditd] Executions", - "version": 1 - }, - "id": "7de391b0-c1ca-11e7-8995-936807a28b16", - "type": "dashboard", - "updated_at": "2018-01-16T22:58:11.243Z", - "version": 5 - } - ], - "version": "6.2.4" -} + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "title": "Error Codes [Auditbeat Auditd Executions]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "exclude": "0", + "field": "auditd.data.exit", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right", + "type": "pie" + }, + "title": "Error Codes [Auditbeat Auditd Executions]", + "type": "pie" + } + }, + "id": "20a8e8d0-c1c8-11e7-8995-936807a28b16", + "type": "visualization", + "updated_at": "2018-01-16T22:10:23.921Z", + "version": 4 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Primary Username Tag Cloud [Auditbeat Auditd]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "auditd.summary.actor.primary", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 45, + "minFontSize": 18, + "orientation": "single", + "scale": "linear" + }, + "title": "Primary Username Tag Cloud [Auditbeat Auditd]", + "type": "tagcloud" + } + }, + "id": "f81a6de0-c1c1-11e7-8995-936807a28b16", + "type": "visualization", + "updated_at": "2018-01-16T22:12:18.730Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "process.exe", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 45, + "minFontSize": 14, + "orientation": "single", + "scale": "linear" + }, + "title": "Exe Name Tag Cloud [Auditbeat Auditd Executions]", + "type": "tagcloud" + } + }, + "id": "2efac370-c1ca-11e7-8995-936807a28b16", + "type": "visualization", + "updated_at": "2018-01-16T22:57:41.411Z", + "version": 4 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "process.args", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "process.exe" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "auditd", + "type": "phrase" + }, + "type": "phrase", + "value": "auditd" + }, + "query": { + "match": { + "event.module": { + "query": "auditd", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "executed", + "type": "phrase" + }, + "type": "phrase", + "value": "executed" + }, + "query": { + "match": { + "event.action": { + "query": "executed", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Process Executions [Auditbeat Auditd]", + "version": 1 + }, + "id": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "type": "search", + "updated_at": "2018-01-16T22:26:35.050Z", + "version": 5 + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "gridData": { + "h": 3, + "i": "1", + "w": 4, + "x": 4, + "y": 0 + }, + "id": "20a8e8d0-c1c8-11e7-8995-936807a28b16", + "panelIndex": "1", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "3", + "w": 4, + "x": 8, + "y": 0 + }, + "id": "f81a6de0-c1c1-11e7-8995-936807a28b16", + "panelIndex": "3", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "5", + "w": 4, + "x": 0, + "y": 0 + }, + "id": "2efac370-c1ca-11e7-8995-936807a28b16", + "panelIndex": "5", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 5, + "i": "6", + "w": 12, + "x": 0, + "y": 3 + }, + "id": "d382f5b0-c1c6-11e7-8995-936807a28b16", + "panelIndex": "6", + "type": "search", + "version": "6.2.4" + } + ], + "timeRestore": false, + "title": "[Auditbeat Auditd] Executions", + "version": 1 + }, + "id": "7de391b0-c1ca-11e7-8995-936807a28b16", + "type": "dashboard", + "updated_at": "2018-01-16T22:58:11.243Z", + "version": 5 + } + ], + "version": "6.2.4" +} \ No newline at end of file diff --git a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json index 99e1a24ccae8..d487e8b8f9ab 100644 --- a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json +++ b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-overview.json @@ -1,86 +1,283 @@ { - "objects": [ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Event Actions [Auditbeat Auditd Overview]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Event Actions [Auditbeat Auditd Overview]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"event.action\",\n \"label\": \"Actions\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"event.module:auditd\",\n \"background_color_rules\": [\n {\n \"id\": \"58c95a20-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"bar_color_rules\": [\n {\n \"id\": \"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"5d20a650-c1bd-11e7-938f-ab0645b6c431\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"legend_position\": \"left\"\n },\n \"aggs\": []\n}" - }, - "id": "97680df0-c1c0-11e7-8995-936807a28b16", - "type": "visualization", - "updated_at": "2018-01-16T22:11:01.438Z", - "version": 3 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16", - "title": "Event Categories [Auditbeat Auditd]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Event Categories [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.category\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Category\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 20,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}" - }, - "id": "08679220-c25a-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T22:54:10.330Z", - "version": 4 - }, - { - "attributes": { - "columns": [ - "beat.hostname", - "auditd.summary.actor.primary", - "auditd.summary.actor.secondary", - "event.action", - "auditd.summary.object.type", - "auditd.summary.object.primary", - "auditd.summary.object.secondary", - "auditd.summary.how", - "auditd.result" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"event.module\",\"value\":\"auditd\",\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "Audit Event Table [Auditbeat Auditd]", - "version": 1 - }, - "id": "0f10c430-c1c3-11e7-8995-936807a28b16", - "type": "search", - "updated_at": "2018-01-16T22:51:24.572Z", - "version": 4 - }, - { - "attributes": { - "description": "Summary of Linux kernel audit events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":3,\"i\":\"1\",\"w\":7,\"x\":0,\"y\":0},\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"4\",\"w\":5,\"x\":7,\"y\":0},\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":5,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":3},\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":\"5\",\"type\":\"search\",\"version\":\"6.2.4\"}]", - "timeRestore": false, - "title": "[Auditbeat Auditd] Overview", - "version": 1 - }, - "id": "c0ac2c00-c1c0-11e7-8995-936807a28b16", - "type": "dashboard", - "updated_at": "2018-01-16T22:55:17.775Z", - "version": 5 - } - ], - "version": "6.2.4" -} + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "title": "Event Actions [Auditbeat Auditd Overview]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color_rules": [ + { + "id": "58c95a20-c1bd-11e7-938f-ab0645b6c431" + } + ], + "bar_color_rules": [ + { + "id": "5bfc71a0-c1bd-11e7-938f-ab0645b6c431" + } + ], + "filter": "event.module:auditd", + "gauge_color_rules": [ + { + "id": "5d20a650-c1bd-11e7-938f-ab0645b6c431" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "auditbeat-*", + "interval": "auto", + "legend_position": "left", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Actions", + "line_width": 1, + "metrics": [ + { + "id": "6b9fb2d0-c1bc-11e7-938f-ab0645b6c431", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "event.action" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Event Actions [Auditbeat Auditd Overview]", + "type": "metrics" + } + }, + "id": "97680df0-c1c0-11e7-8995-936807a28b16", + "type": "visualization", + "updated_at": "2018-01-16T22:11:01.438Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "0f10c430-c1c3-11e7-8995-936807a28b16", + "title": "Event Categories [Auditbeat Auditd]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Category", + "field": "event.category", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Action", + "field": "event.action", + "order": "desc", + "orderBy": "1", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right", + "type": "pie" + }, + "title": "Event Categories [Auditbeat Auditd]", + "type": "pie" + } + }, + "id": "08679220-c25a-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T22:54:10.330Z", + "version": 4 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "auditd.summary.actor.primary", + "auditd.summary.actor.secondary", + "event.action", + "auditd.summary.object.type", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.summary.how", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "auditd", + "type": "phrase" + }, + "type": "phrase", + "value": "auditd" + }, + "query": { + "match": { + "event.module": { + "query": "auditd", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Audit Event Table [Auditbeat Auditd]", + "version": 1 + }, + "id": "0f10c430-c1c3-11e7-8995-936807a28b16", + "type": "search", + "updated_at": "2018-01-16T22:51:24.572Z", + "version": 4 + }, + { + "attributes": { + "description": "Summary of Linux kernel audit events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "gridData": { + "h": 3, + "i": "1", + "w": 7, + "x": 0, + "y": 0 + }, + "id": "97680df0-c1c0-11e7-8995-936807a28b16", + "panelIndex": "1", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "4", + "w": 5, + "x": 7, + "y": 0 + }, + "id": "08679220-c25a-11e7-8692-232bd1143e8a", + "panelIndex": "4", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 5, + "i": "5", + "w": 12, + "x": 0, + "y": 3 + }, + "id": "0f10c430-c1c3-11e7-8995-936807a28b16", + "panelIndex": "5", + "type": "search", + "version": "6.2.4" + } + ], + "timeRestore": false, + "title": "[Auditbeat Auditd] Overview", + "version": 1 + }, + "id": "c0ac2c00-c1c0-11e7-8995-936807a28b16", + "type": "dashboard", + "updated_at": "2018-01-16T22:55:17.775Z", + "version": 5 + } + ], + "version": "6.2.4" +} \ No newline at end of file diff --git a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json index f78214b286dc..7ef3d93453b3 100644 --- a/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json +++ b/auditbeat/module/auditd/_meta/kibana/6/dashboard/auditbeat-kernel-sockets.json @@ -1,188 +1,930 @@ { - "objects": [ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"filter\": [\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": true,\n \"type\": \"phrase\",\n \"key\": \"auditd.summary.object.secondary\",\n \"value\": \"0\",\n \"params\": {\n \"query\": \"0\",\n \"type\": \"phrase\"\n },\n \"disabled\": false,\n \"alias\": null,\n \"apply\": true\n },\n \"query\": {\n \"match\": {\n \"auditd.summary.object.secondary\": {\n \"query\": \"0\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a", - "title": "Bind (non-ephemeral) [Auditbeat Auditd]", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Bind (non-ephemeral) [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.how\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"_term\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}" - }, - "id": "faf882f0-c242-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T22:08:02.522Z", - "version": 3 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a", - "title": "Connect [Auditbeat Auditd]", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Connect [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Address\"\n }\n },\n {\n \"id\": \"4\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.summary.object.secondary\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Port\"\n }\n }\n ]\n}" - }, - "id": "ea483730-c246-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T23:24:16.851Z", - "version": 4 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a", - "title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n },\n \"spy\": {\n \"mode\": {\n \"name\": null,\n \"fill\": false\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Accept / Recvfrom Unique Address Table [Auditbeat Auditd]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": false,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"cardinality\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"auditd.summary.object.primary\",\n \"customLabel\": \"Unique Addresses\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"process.exe\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Exe\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}" - }, - "id": "ceb91de0-c250-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T22:16:51.535Z", - "version": 5 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Socket Syscalls Time Series [Auditbeat Auditd]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Socket Syscalls Time Series [Auditbeat Auditd]\",\n \"type\": \"metrics\",\n \"params\": {\n \"id\": \"61ca57f0-469d-11e7-af02-69e470af7417\",\n \"type\": \"timeseries\",\n \"series\": [\n {\n \"id\": \"61ca57f1-469d-11e7-af02-69e470af7417\",\n \"color\": \"#68BC00\",\n \"split_mode\": \"terms\",\n \"metrics\": [\n {\n \"id\": \"61ca57f2-469d-11e7-af02-69e470af7417\",\n \"type\": \"count\"\n }\n ],\n \"seperate_axis\": 0,\n \"axis_position\": \"right\",\n \"formatter\": \"number\",\n \"chart_type\": \"line\",\n \"line_width\": 1,\n \"point_size\": 1,\n \"fill\": 0.5,\n \"stacked\": \"none\",\n \"terms_field\": \"auditd.data.syscall\",\n \"label\": \"syscall\"\n }\n ],\n \"time_field\": \"@timestamp\",\n \"index_pattern\": \"auditbeat-*\",\n \"interval\": \"auto\",\n \"axis_position\": \"left\",\n \"axis_formatter\": \"number\",\n \"show_legend\": 1,\n \"show_grid\": 1,\n \"filter\": \"auditd.summary.object.type:socket\",\n \"legend_position\": \"left\",\n \"bar_color_rules\": [\n {\n \"id\": \"2cebb0c0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_color_rules\": [\n {\n \"id\": \"6c891740-c252-11e7-8a68-93ffe9ec5950\"\n }\n ],\n \"gauge_width\": 10,\n \"gauge_inner_width\": 10,\n \"gauge_style\": \"half\",\n \"background_color_rules\": [\n {\n \"id\": \"95b603d0-c252-11e7-8a68-93ffe9ec5950\"\n }\n ]\n },\n \"aggs\": []\n}" - }, - "id": "b21e0c70-c252-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T22:13:38.857Z", - "version": 3 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"filter\": [],\n \"query\": {\n \"query\": \"\",\n \"language\": \"lucene\"\n }\n}" - }, - "title": "Socket Families [Auditbeat Auditd]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Socket Families [Auditbeat Auditd]\",\n \"type\": \"pie\",\n \"params\": {\n \"type\": \"pie\",\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"left\",\n \"isDonut\": true\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.socket.family\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Socket Family\"\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"auditd.data.syscall\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Syscall\"\n }\n }\n ]\n}" - }, - "id": "a8e20450-c256-11e7-8692-232bd1143e8a", - "type": "visualization", - "updated_at": "2018-01-16T22:12:51.655Z", - "version": 3 - }, - { - "attributes": { - "columns": [ - "beat.hostname", - "auditd.summary.how", - "auditd.summary.object.primary", - "auditd.summary.object.secondary", - "auditd.data.socket.family", - "auditd.result" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"auditd.data.syscall\",\"value\":\"bind\",\"params\":{\"query\":\"bind\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"auditd.data.syscall\":{\"query\":\"bind\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"negate\":true,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"auditd.data.socket.family\",\"value\":\"netlink\",\"params\":{\"query\":\"netlink\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"auditd.data.socket.family\":{\"query\":\"netlink\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "Socket Binds [Auditbeat Auditd]", - "version": 1 - }, - "id": "b4c93470-c240-11e7-8692-232bd1143e8a", - "type": "search", - "updated_at": "2018-01-16T23:05:58.935Z", - "version": 5 - }, - { - "attributes": { - "columns": [ - "beat.hostname", - "auditd.summary.how", - "auditd.summary.object.primary", - "auditd.summary.object.secondary", - "auditd.data.socket.family", - "auditd.result", - "auditd.data.exit" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"event.action\",\"value\":\"connected-to\",\"params\":{\"query\":\"connected-to\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"event.action\":{\"query\":\"connected-to\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"auditd.summary.object.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"$state\":{\"store\":\"appState\"}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "Socket Connects [Auditbeat Auditd]", - "version": 1 - }, - "id": "5438b030-c246-11e7-8692-232bd1143e8a", - "type": "search", - "updated_at": "2018-01-16T23:09:43.937Z", - "version": 5 - }, - { - "attributes": { - "columns": [ - "beat.hostname", - "auditd.summary.how", - "auditd.summary.object.primary", - "auditd.summary.object.secondary", - "auditd.data.socket.family", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"event.module\",\"negate\":false,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"auditd\"},\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"auditd.summary.object.type\",\"value\":\"socket\",\"params\":{\"query\":\"socket\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"auditd.summary.object.type\":{\"query\":\"socket\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"auditd.summary.object.primary\",\"value\":\"exists\"},\"exists\":{\"field\":\"auditd.summary.object.primary\"},\"$state\":{\"store\":\"appState\"}},{\"query\":{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}},\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"disabled\":false,\"alias\":null,\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"terms\\\":{\\\"auditd.data.syscall\\\":[\\\"accept\\\",\\\"accept4\\\",\\\"recvfrom\\\",\\\"recvmsg\\\"]}}\"},\"$state\":{\"store\":\"appState\"}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "Socket Accept / Recvfrom [Auditbeat Auditd]", - "version": 1 - }, - "id": "e8734160-c24c-11e7-8692-232bd1143e8a", - "type": "search", - "updated_at": "2018-01-16T23:20:51.403Z", - "version": 4 - }, - { - "attributes": { - "description": "Summary of socket related syscall events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":6,\"x\":6,\"y\":3},\"id\":\"faf882f0-c242-11e7-8692-232bd1143e8a\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":5,\"i\":\"2\",\"w\":6,\"x\":0,\"y\":7},\"id\":\"ea483730-c246-11e7-8692-232bd1143e8a\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":5,\"i\":\"3\",\"w\":6,\"x\":6,\"y\":7},\"id\":\"ceb91de0-c250-11e7-8692-232bd1143e8a\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"id\":\"b21e0c70-c252-11e7-8692-232bd1143e8a\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":6,\"x\":0,\"y\":3},\"id\":\"a8e20450-c256-11e7-8692-232bd1143e8a\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.2.4\"}]", - "timeRestore": false, - "title": "[Auditbeat Auditd] Sockets", - "version": 1 - }, - "id": "693a5f40-c243-11e7-8692-232bd1143e8a", - "type": "dashboard", - "updated_at": "2018-01-16T23:24:37.521Z", - "version": 4 - } - ], - "version": "6.2.4" -} + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "apply": true, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.summary.object.secondary", + "negate": true, + "params": { + "query": "0", + "type": "phrase" + }, + "type": "phrase", + "value": "0" + }, + "query": { + "match": { + "auditd.summary.object.secondary": { + "query": "0", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "b4c93470-c240-11e7-8692-232bd1143e8a", + "title": "Bind (non-ephemeral) [Auditbeat Auditd]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "auditd.summary.how", + "order": "desc", + "orderBy": "_term", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Address", + "field": "auditd.summary.object.primary", + "order": "desc", + "orderBy": "_term", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Port", + "field": "auditd.summary.object.secondary", + "order": "desc", + "orderBy": "_term", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Bind (non-ephemeral) [Auditbeat Auditd]", + "type": "table" + } + }, + "id": "faf882f0-c242-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T22:08:02.522Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "5438b030-c246-11e7-8692-232bd1143e8a", + "title": "Connect [Auditbeat Auditd]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "process.exe", + "order": "desc", + "orderBy": "1", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Address", + "field": "auditd.summary.object.primary", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Port", + "field": "auditd.summary.object.secondary", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Connect [Auditbeat Auditd]", + "type": "table" + } + }, + "id": "ea483730-c246-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T23:24:16.851Z", + "version": 4 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "savedSearchId": "e8734160-c24c-11e7-8692-232bd1143e8a", + "title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]", + "uiStateJSON": { + "spy": { + "mode": { + "fill": false, + "name": null + } + }, + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Unique Addresses", + "field": "auditd.summary.object.primary" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Exe", + "field": "process.exe", + "order": "desc", + "orderBy": "1", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Syscall", + "field": "auditd.data.syscall", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Accept / Recvfrom Unique Address Table [Auditbeat Auditd]", + "type": "table" + } + }, + "id": "ceb91de0-c250-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T22:16:51.535Z", + "version": 5 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "title": "Socket Syscalls Time Series [Auditbeat Auditd]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "background_color_rules": [ + { + "id": "95b603d0-c252-11e7-8a68-93ffe9ec5950" + } + ], + "bar_color_rules": [ + { + "id": "2cebb0c0-c252-11e7-8a68-93ffe9ec5950" + } + ], + "filter": "auditd.summary.object.type:socket", + "gauge_color_rules": [ + { + "id": "6c891740-c252-11e7-8a68-93ffe9ec5950" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "auditbeat-*", + "interval": "auto", + "legend_position": "left", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "syscall", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_mode": "terms", + "stacked": "none", + "terms_field": "auditd.data.syscall" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Socket Syscalls Time Series [Auditbeat Auditd]", + "type": "metrics" + } + }, + "id": "b21e0c70-c252-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T22:13:38.857Z", + "version": 3 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "Socket Families [Auditbeat Auditd]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Socket Family", + "field": "auditd.data.socket.family", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Syscall", + "field": "auditd.data.syscall", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "left", + "type": "pie" + }, + "title": "Socket Families [Auditbeat Auditd]", + "type": "pie" + } + }, + "id": "a8e20450-c256-11e7-8692-232bd1143e8a", + "type": "visualization", + "updated_at": "2018-01-16T22:12:51.655Z", + "version": 3 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "auditd", + "type": "phrase" + }, + "type": "phrase", + "value": "auditd" + }, + "query": { + "match": { + "event.module": { + "query": "auditd", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.data.syscall", + "negate": false, + "params": { + "query": "bind", + "type": "phrase" + }, + "type": "phrase", + "value": "bind" + }, + "query": { + "match": { + "auditd.data.syscall": { + "query": "bind", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.data.socket.family", + "negate": true, + "params": { + "query": "netlink", + "type": "phrase" + }, + "type": "phrase", + "value": "netlink" + }, + "query": { + "match": { + "auditd.data.socket.family": { + "query": "netlink", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Binds [Auditbeat Auditd]", + "version": 1 + }, + "id": "b4c93470-c240-11e7-8692-232bd1143e8a", + "type": "search", + "updated_at": "2018-01-16T23:05:58.935Z", + "version": 5 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "auditd.result", + "auditd.data.exit" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "auditd", + "type": "phrase" + }, + "type": "phrase", + "value": "auditd" + }, + "query": { + "match": { + "event.module": { + "query": "auditd", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.action", + "negate": false, + "params": { + "query": "connected-to", + "type": "phrase" + }, + "type": "phrase", + "value": "connected-to" + }, + "query": { + "match": { + "event.action": { + "query": "connected-to", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "auditd.summary.object.primary" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.summary.object.primary", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Connects [Auditbeat Auditd]", + "version": 1 + }, + "id": "5438b030-c246-11e7-8692-232bd1143e8a", + "type": "search", + "updated_at": "2018-01-16T23:09:43.937Z", + "version": 5 + }, + { + "attributes": { + "columns": [ + "beat.hostname", + "auditd.summary.how", + "auditd.summary.object.primary", + "auditd.summary.object.secondary", + "auditd.data.socket.family", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "auditd", + "type": "phrase" + }, + "type": "phrase", + "value": "auditd" + }, + "query": { + "match": { + "event.module": { + "query": "auditd", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.summary.object.type", + "negate": false, + "params": { + "query": "socket", + "type": "phrase" + }, + "type": "phrase", + "value": "socket" + }, + "query": { + "match": { + "auditd.summary.object.type": { + "query": "socket", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "auditd.summary.object.primary" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "auditd.summary.object.primary", + "negate": false, + "type": "exists", + "value": "exists" + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"terms\":{\"auditd.data.syscall\":[\"accept\",\"accept4\",\"recvfrom\",\"recvmsg\"]}}" + }, + "query": { + "terms": { + "auditd.data.syscall": [ + "accept", + "accept4", + "recvfrom", + "recvmsg" + ] + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "Socket Accept / Recvfrom [Auditbeat Auditd]", + "version": 1 + }, + "id": "e8734160-c24c-11e7-8692-232bd1143e8a", + "type": "search", + "updated_at": "2018-01-16T23:20:51.403Z", + "version": 4 + }, + { + "attributes": { + "description": "Summary of socket related syscall events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": "*" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 4, + "i": "1", + "w": 6, + "x": 6, + "y": 3 + }, + "id": "faf882f0-c242-11e7-8692-232bd1143e8a", + "panelIndex": "1", + "type": "visualization", + "version": "6.2.4" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 5, + "i": "2", + "w": 6, + "x": 0, + "y": 7 + }, + "id": "ea483730-c246-11e7-8692-232bd1143e8a", + "panelIndex": "2", + "type": "visualization", + "version": "6.2.4" + }, + { + "embeddableConfig": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "gridData": { + "h": 5, + "i": "3", + "w": 6, + "x": 6, + "y": 7 + }, + "id": "ceb91de0-c250-11e7-8692-232bd1143e8a", + "panelIndex": "3", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "4", + "w": 12, + "x": 0, + "y": 0 + }, + "id": "b21e0c70-c252-11e7-8692-232bd1143e8a", + "panelIndex": "4", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 4, + "i": "5", + "w": 6, + "x": 0, + "y": 3 + }, + "id": "a8e20450-c256-11e7-8692-232bd1143e8a", + "panelIndex": "5", + "type": "visualization", + "version": "6.2.4" + } + ], + "timeRestore": false, + "title": "[Auditbeat Auditd] Sockets", + "version": 1 + }, + "id": "693a5f40-c243-11e7-8692-232bd1143e8a", + "type": "dashboard", + "updated_at": "2018-01-16T23:24:37.521Z", + "version": 4 + } + ], + "version": "6.2.4" +} \ No newline at end of file diff --git a/auditbeat/module/file_integrity/_meta/kibana/6/dashboard/auditbeat-file-integrity.json b/auditbeat/module/file_integrity/_meta/kibana/6/dashboard/auditbeat-file-integrity.json index 94dd3a5ce7f0..3b98803d0573 100644 --- a/auditbeat/module/file_integrity/_meta/kibana/6/dashboard/auditbeat-file-integrity.json +++ b/auditbeat/module/file_integrity/_meta/kibana/6/dashboard/auditbeat-file-integrity.json @@ -1,233 +1,1214 @@ { - "objects": [ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Actions [Auditbeat File Integrity]", - "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 100\": \"rgb(0,104,55)\"\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Actions [Auditbeat File Integrity]\",\n \"type\": \"metric\",\n \"params\": {\n \"addLegend\": false,\n \"addTooltip\": true,\n \"gauge\": {\n \"autoExtend\": false,\n \"backStyle\": \"Full\",\n \"colorSchema\": \"Green to Red\",\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 100\n }\n ],\n \"gaugeColorMode\": \"None\",\n \"gaugeStyle\": \"Full\",\n \"gaugeType\": \"Metric\",\n \"invertColors\": false,\n \"labels\": {\n \"color\": \"black\",\n \"show\": true\n },\n \"orientation\": \"vertical\",\n \"percentageMode\": false,\n \"scale\": {\n \"color\": \"#333\",\n \"labels\": false,\n \"show\": true,\n \"width\": 2\n },\n \"style\": {\n \"bgColor\": false,\n \"bgFill\": \"#000\",\n \"fontSize\": \"24\",\n \"labelColor\": false,\n \"subText\": \"\"\n },\n \"type\": \"simple\",\n \"useRange\": false,\n \"verticalSplit\": true,\n \"extendRange\": false\n },\n \"type\": \"gauge\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}" - }, - "id": "AV0tVcg6g1PYniApZa-v", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Events Over Time [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Events Over Time [Auditbeat File Integrity]\",\n \"type\": \"histogram\",\n \"params\": {\n \"grid\": {\n \"categoryLines\": false,\n \"style\": {\n \"color\": \"#eee\"\n }\n },\n \"categoryAxes\": [\n {\n \"id\": \"CategoryAxis-1\",\n \"type\": \"category\",\n \"position\": \"bottom\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\"\n },\n \"labels\": {\n \"show\": true,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"@timestamp per 5 minutes\"\n }\n }\n ],\n \"valueAxes\": [\n {\n \"id\": \"ValueAxis-1\",\n \"name\": \"LeftAxis-1\",\n \"type\": \"value\",\n \"position\": \"left\",\n \"show\": true,\n \"style\": {},\n \"scale\": {\n \"type\": \"linear\",\n \"mode\": \"normal\",\n \"defaultYExtents\": true\n },\n \"labels\": {\n \"show\": true,\n \"rotate\": 0,\n \"filter\": false,\n \"truncate\": 100\n },\n \"title\": {\n \"text\": \"Count\"\n }\n }\n ],\n \"seriesParams\": [\n {\n \"show\": \"true\",\n \"type\": \"histogram\",\n \"mode\": \"stacked\",\n \"data\": {\n \"label\": \"Count\",\n \"id\": \"1\"\n },\n \"valueAxis\": \"ValueAxis-1\",\n \"drawLinesBetweenPoints\": true,\n \"showCircles\": true\n }\n ],\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"left\",\n \"times\": [],\n \"addTimeMarker\": false,\n \"type\": \"histogram\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"date_histogram\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"interval\": \"auto\",\n \"customInterval\": \"2h\",\n \"min_doc_count\": 1,\n \"extended_bounds\": {}\n }\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"event.action\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Action\"\n }\n }\n ]\n}" - }, - "id": "AV0tV05vg1PYniApZbA2", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Top owners [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Top owners [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true,\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.owner\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Owner\"\n }\n }\n ]\n}" - }, - "id": "AV0tWL-Yg1PYniApZbCs", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Top groups [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Top groups [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": true,\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.group\",\n \"size\": 5,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Group\"\n }\n }\n ]\n}" - }, - "id": "AV0tWSdXg1PYniApZbDU", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"event.action:updated OR event.action:attributes_modified\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Top updated [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Top updated [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": true,\n \"legendPosition\": \"right\",\n \"isDonut\": false,\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"3\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.path.raw\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Path\"\n }\n }\n ]\n}" - }, - "id": "AV0tW0djg1PYniApZbGL", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"query\":{\"query\":\"file.mode:/0..[2367]/ NOT file.type:symlink\",\"language\":\"lucene\"},\"filter\":[]}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "World Writable File Count [Auditbeat File Integrity]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"title\":\"World Writable File Count [Auditbeat File Integrity]\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"colorSchema\":\"Green to Red\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"style\":{\"fontSize\":\"23\",\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\"},\"metricColorMode\":\"None\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"file.inode\",\"customLabel\":\"World Writable Files\"}}]}" - }, - "id": "AV0tY6jwg1PYniApZbRY", - "type": "visualization", - "updated_at": "2018-01-22T17:48:29.232Z", - "version": 7 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": \"*\",\n \"language\": \"lucene\"\n },\n \"filter\": [\n {\n \"meta\": {\n \"index\": \"auditbeat-*\",\n \"negate\": false,\n \"disabled\": false,\n \"alias\": null,\n \"type\": \"phrase\",\n \"key\": \"file.type\",\n \"value\": \"file\",\n \"params\": {\n \"query\": \"file\",\n \"type\": \"phrase\"\n }\n },\n \"query\": {\n \"match\": {\n \"file.type\": {\n \"query\": \"file\",\n \"type\": \"phrase\"\n }\n }\n },\n \"$state\": {\n \"store\": \"appState\"\n }\n }\n ]\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Most changed file by count [Auditbeat File Integrity]", - "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 100\": \"rgb(0,104,55)\"\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Most changed file by count [Auditbeat File Integrity]\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"gauge\",\n \"gauge\": {\n \"verticalSplit\": false,\n \"autoExtend\": false,\n \"percentageMode\": false,\n \"gaugeType\": \"Metric\",\n \"gaugeStyle\": \"Full\",\n \"backStyle\": \"Full\",\n \"orientation\": \"vertical\",\n \"colorSchema\": \"Green to Red\",\n \"gaugeColorMode\": \"None\",\n \"useRange\": false,\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 100\n }\n ],\n \"invertColors\": false,\n \"labels\": {\n \"show\": true,\n \"color\": \"black\"\n },\n \"scale\": {\n \"show\": false,\n \"labels\": false,\n \"color\": \"#333\",\n \"width\": 2\n },\n \"type\": \"simple\",\n \"style\": {\n \"fontSize\": \"20\",\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\"\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Most changed file by count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"file.path.raw\",\n \"size\": 1,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"File\"\n }\n }\n ]\n}" - }, - "id": "AV0tav8Ag1PYniApZbbK", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Most common mode by count [Auditbeat File Integrity]", - "uiStateJSON": "{\n \"vis\": {\n \"defaultColors\": {\n \"0 - 100\": \"rgb(0,104,55)\"\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"Most common mode by count [Auditbeat File Integrity]\",\n \"type\": \"metric\",\n \"params\": {\n \"addTooltip\": true,\n \"addLegend\": false,\n \"type\": \"gauge\",\n \"gauge\": {\n \"verticalSplit\": false,\n \"autoExtend\": false,\n \"percentageMode\": false,\n \"gaugeType\": \"Metric\",\n \"gaugeStyle\": \"Full\",\n \"backStyle\": \"Full\",\n \"orientation\": \"vertical\",\n \"colorSchema\": \"Green to Red\",\n \"gaugeColorMode\": \"None\",\n \"useRange\": false,\n \"colorsRange\": [\n {\n \"from\": 0,\n \"to\": 100\n }\n ],\n \"invertColors\": false,\n \"labels\": {\n \"show\": true,\n \"color\": \"black\"\n },\n \"scale\": {\n \"show\": false,\n \"labels\": false,\n \"color\": \"#333\",\n \"width\": 2\n },\n \"type\": \"simple\",\n \"style\": {\n \"fontSize\": \"20\",\n \"bgFill\": \"#000\",\n \"bgColor\": false,\n \"labelColor\": false,\n \"subText\": \"\"\n }\n }\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Most common mode by count\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"file.mode\",\n \"size\": 1,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Mode\"\n }\n }\n ]\n}" - }, - "id": "AV0tbcUdg1PYniApZbe1", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "File Event Summary By Host [Auditbeat File Integrity]", - "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", - "version": 1, - "visState": "{\n \"title\": \"File Event Summary By Host [Auditbeat File Integrity]\",\n \"type\": \"table\",\n \"params\": {\n \"perPage\": 10,\n \"showPartialRows\": false,\n \"showMeticsAtAllLevels\": false,\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n },\n \"showTotal\": true,\n \"totalFunc\": \"sum\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {\n \"customLabel\": \"Total Events\"\n }\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"bucket\",\n \"params\": {\n \"field\": \"beat.name\",\n \"size\": 50,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Host\"\n }\n },\n {\n \"id\": \"5\",\n \"enabled\": true,\n \"type\": \"top_hits\",\n \"schema\": \"metric\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"aggregate\": \"concat\",\n \"size\": 1,\n \"sortField\": \"@timestamp\",\n \"sortOrder\": \"desc\",\n \"customLabel\": \"Last Report\"\n }\n }\n ]\n}" - }, - "id": "AV0tc_xZg1PYniApZbnL", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"analyze_wildcard\": true,\n \"query\": \"event.action:deleted\",\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Top deleted [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Top deleted [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addLegend\": true,\n \"addTooltip\": true,\n \"isDonut\": false,\n \"legendPosition\": \"right\",\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.path.raw\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Path\"\n }\n }\n ]\n}" - }, - "id": "AV0tes4Eg1PYniApZbwV", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\n \"index\": \"auditbeat-*\",\n \"query\": {\n \"query\": {\n \"query_string\": {\n \"query\": \"event.action:created\",\n \"analyze_wildcard\": true,\n \"default_field\": \"*\"\n }\n },\n \"language\": \"lucene\"\n },\n \"filter\": []\n}" - }, - "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", - "title": "Top created [Auditbeat File Integrity]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\n \"title\": \"Top created [Auditbeat File Integrity]\",\n \"type\": \"pie\",\n \"params\": {\n \"addLegend\": true,\n \"addTooltip\": true,\n \"isDonut\": false,\n \"legendPosition\": \"right\",\n \"type\": \"pie\"\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"enabled\": true,\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"enabled\": true,\n \"type\": \"terms\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"file.path.raw\",\n \"size\": 10,\n \"order\": \"desc\",\n \"orderBy\": \"1\",\n \"customLabel\": \"Path\"\n }\n }\n ]\n}" - }, - "id": "AV0te0TCg1PYniApZbw9", - "type": "visualization", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "columns": [ - "file.path", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"index\":\"auditbeat-*\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"event.module\",\"value\":\"file_integrity\",\"params\":{\"query\":\"file_integrity\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"event.module\":{\"query\":\"file_integrity\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}" - }, - "sort": [ - "@timestamp", - "desc" - ], - "title": "File Integrity Events [Auditbeat File Integrity]", - "version": 1 - }, - "id": "a380a060-cb44-11e7-9835-2f31fe08873b", - "type": "search", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - }, - { - "attributes": { - "description": "Monitor file integrity events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"gridData\":{\"h\":6,\"i\":\"1\",\"w\":2,\"x\":0,\"y\":0},\"id\":\"AV0tVcg6g1PYniApZa-v\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":6,\"i\":\"2\",\"w\":7,\"x\":2,\"y\":0},\"id\":\"AV0tV05vg1PYniApZbA2\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"3\",\"w\":3,\"x\":9,\"y\":0},\"id\":\"AV0tWL-Yg1PYniApZbCs\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"4\",\"w\":3,\"x\":9,\"y\":3},\"id\":\"AV0tWSdXg1PYniApZbDU\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"5\",\"w\":4,\"x\":4,\"y\":8},\"id\":\"AV0tW0djg1PYniApZbGL\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":2,\"i\":\"6\",\"w\":4,\"x\":0,\"y\":6},\"id\":\"AV0tY6jwg1PYniApZbRY\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":2,\"i\":\"7\",\"w\":4,\"x\":4,\"y\":6},\"id\":\"AV0tav8Ag1PYniApZbbK\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":2,\"i\":\"8\",\"w\":4,\"x\":8,\"y\":6},\"id\":\"AV0tbcUdg1PYniApZbe1\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":5,\"i\":\"9\",\"w\":6,\"x\":0,\"y\":11},\"id\":\"AV0tc_xZg1PYniApZbnL\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"10\",\"w\":4,\"x\":8,\"y\":8},\"id\":\"AV0tes4Eg1PYniApZbwV\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"gridData\":{\"h\":3,\"i\":\"11\",\"w\":4,\"x\":0,\"y\":8},\"id\":\"AV0te0TCg1PYniApZbw9\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.2.4\"},{\"columns\":[\"file.path\",\"event.action\"],\"gridData\":{\"h\":5,\"i\":\"12\",\"w\":6,\"x\":6,\"y\":11},\"id\":\"a380a060-cb44-11e7-9835-2f31fe08873b\",\"panelIndex\":\"12\",\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\",\"version\":\"6.2.4\"}]", - "timeRestore": false, - "title": "[Auditbeat File Integrity] Overview", - "version": 1 - }, - "id": "AV0tXkjYg1PYniApZbKP", - "type": "dashboard", - "updated_at": "2018-01-22T15:54:25.278Z", - "version": 6 - } - ], - "version": "6.1.2" -} + "objects": [ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Actions [Auditbeat File Integrity]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Action", + "field": "event.action", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "extendRange": false, + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": true, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "24", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": true + }, + "type": "gauge" + }, + "title": "Actions [Auditbeat File Integrity]", + "type": "metric" + } + }, + "id": "AV0tVcg6g1PYniApZa-v", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Events Over Time [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customInterval": "2h", + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1 + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Action", + "field": "event.action", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "@timestamp per 5 minutes" + }, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "legendPosition": "left", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "defaultYExtents": true, + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Events Over Time [Auditbeat File Integrity]", + "type": "histogram" + } + }, + "id": "AV0tV05vg1PYniApZbA2", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Top owners [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Owner", + "field": "file.owner", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top owners [Auditbeat File Integrity]", + "type": "pie" + } + }, + "id": "AV0tWL-Yg1PYniApZbCs", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Top groups [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Group", + "field": "file.group", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top groups [Auditbeat File Integrity]", + "type": "pie" + } + }, + "id": "AV0tWSdXg1PYniApZbDU", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "event.action:updated OR event.action:attributes_modified" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Top updated [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Path", + "field": "file.path.raw", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top updated [Auditbeat File Integrity]", + "type": "pie" + } + }, + "id": "AV0tW0djg1PYniApZbGL", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "file.mode:/0..[2367]/ NOT file.type:symlink" + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "World Writable File Count [Auditbeat File Integrity]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "World Writable Files", + "field": "file.inode" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "invertColors": false, + "labels": { + "color": "black", + "show": false + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "23", + "labelColor": false, + "subText": "" + }, + "useRange": false + }, + "type": "metric" + }, + "title": "World Writable File Count [Auditbeat File Integrity]", + "type": "metric" + } + }, + "id": "AV0tY6jwg1PYniApZbRY", + "type": "visualization", + "updated_at": "2018-01-22T17:48:29.232Z", + "version": 7 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "file.type", + "negate": false, + "params": { + "query": "file", + "type": "phrase" + }, + "type": "phrase", + "value": "file" + }, + "query": { + "match": { + "file.type": { + "query": "file", + "type": "phrase" + } + } + } + } + ], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "*" + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Most changed file by count [Auditbeat File Integrity]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Most changed file by count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "File", + "field": "file.path.raw", + "order": "desc", + "orderBy": "1", + "size": 1 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "20", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "type": "gauge" + }, + "title": "Most changed file by count [Auditbeat File Integrity]", + "type": "metric" + } + }, + "id": "AV0tav8Ag1PYniApZbbK", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Most common mode by count [Auditbeat File Integrity]", + "uiStateJSON": { + "vis": { + "defaultColors": { + "0 - 100": "rgb(0,104,55)" + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Most common mode by count" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Mode", + "field": "file.mode", + "order": "desc", + "orderBy": "1", + "size": 1 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "gauge": { + "autoExtend": false, + "backStyle": "Full", + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 100 + } + ], + "gaugeColorMode": "None", + "gaugeStyle": "Full", + "gaugeType": "Metric", + "invertColors": false, + "labels": { + "color": "black", + "show": true + }, + "orientation": "vertical", + "percentageMode": false, + "scale": { + "color": "#333", + "labels": false, + "show": false, + "width": 2 + }, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": "20", + "labelColor": false, + "subText": "" + }, + "type": "simple", + "useRange": false, + "verticalSplit": false + }, + "type": "gauge" + }, + "title": "Most common mode by count [Auditbeat File Integrity]", + "type": "metric" + } + }, + "id": "AV0tbcUdg1PYniApZbe1", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "*" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "File Event Summary By Host [Auditbeat File Integrity]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total Events" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Host", + "field": "beat.name", + "order": "desc", + "orderBy": "1", + "size": 50 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "aggregate": "concat", + "customLabel": "Last Report", + "field": "@timestamp", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + } + ], + "params": { + "perPage": 10, + "showMeticsAtAllLevels": false, + "showPartialRows": false, + "showTotal": true, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "File Event Summary By Host [Auditbeat File Integrity]", + "type": "table" + } + }, + "id": "AV0tc_xZg1PYniApZbnL", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "event.action:deleted" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Top deleted [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Path", + "field": "file.path.raw", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top deleted [Auditbeat File Integrity]", + "type": "pie" + } + }, + "id": "AV0tes4Eg1PYniApZbwV", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "default_field": "*", + "query": "event.action:created" + } + } + } + } + }, + "savedSearchId": "a380a060-cb44-11e7-9835-2f31fe08873b", + "title": "Top created [Auditbeat File Integrity]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Path", + "field": "file.path.raw", + "order": "desc", + "orderBy": "1", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top created [Auditbeat File Integrity]", + "type": "pie" + } + }, + "id": "AV0te0TCg1PYniApZbw9", + "type": "visualization", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "columns": [ + "file.path", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "auditbeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "file_integrity", + "type": "phrase" + }, + "type": "phrase", + "value": "file_integrity" + }, + "query": { + "match": { + "event.module": { + "query": "file_integrity", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "index": "auditbeat-*", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + "@timestamp", + "desc" + ], + "title": "File Integrity Events [Auditbeat File Integrity]", + "version": 1 + }, + "id": "a380a060-cb44-11e7-9835-2f31fe08873b", + "type": "search", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + }, + { + "attributes": { + "description": "Monitor file integrity events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "lucene", + "query": { + "query_string": { + "analyze_wildcard": true, + "query": "*" + } + } + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "useMargins": false + }, + "panelsJSON": [ + { + "gridData": { + "h": 6, + "i": "1", + "w": 2, + "x": 0, + "y": 0 + }, + "id": "AV0tVcg6g1PYniApZa-v", + "panelIndex": "1", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 6, + "i": "2", + "w": 7, + "x": 2, + "y": 0 + }, + "id": "AV0tV05vg1PYniApZbA2", + "panelIndex": "2", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "3", + "w": 3, + "x": 9, + "y": 0 + }, + "id": "AV0tWL-Yg1PYniApZbCs", + "panelIndex": "3", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "4", + "w": 3, + "x": 9, + "y": 3 + }, + "id": "AV0tWSdXg1PYniApZbDU", + "panelIndex": "4", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "5", + "w": 4, + "x": 4, + "y": 8 + }, + "id": "AV0tW0djg1PYniApZbGL", + "panelIndex": "5", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 2, + "i": "6", + "w": 4, + "x": 0, + "y": 6 + }, + "id": "AV0tY6jwg1PYniApZbRY", + "panelIndex": "6", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 2, + "i": "7", + "w": 4, + "x": 4, + "y": 6 + }, + "id": "AV0tav8Ag1PYniApZbbK", + "panelIndex": "7", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 2, + "i": "8", + "w": 4, + "x": 8, + "y": 6 + }, + "id": "AV0tbcUdg1PYniApZbe1", + "panelIndex": "8", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 5, + "i": "9", + "w": 6, + "x": 0, + "y": 11 + }, + "id": "AV0tc_xZg1PYniApZbnL", + "panelIndex": "9", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "10", + "w": 4, + "x": 8, + "y": 8 + }, + "id": "AV0tes4Eg1PYniApZbwV", + "panelIndex": "10", + "type": "visualization", + "version": "6.2.4" + }, + { + "gridData": { + "h": 3, + "i": "11", + "w": 4, + "x": 0, + "y": 8 + }, + "id": "AV0te0TCg1PYniApZbw9", + "panelIndex": "11", + "type": "visualization", + "version": "6.2.4" + }, + { + "columns": [ + "file.path", + "event.action" + ], + "gridData": { + "h": 5, + "i": "12", + "w": 6, + "x": 6, + "y": 11 + }, + "id": "a380a060-cb44-11e7-9835-2f31fe08873b", + "panelIndex": "12", + "sort": [ + "@timestamp", + "desc" + ], + "type": "search", + "version": "6.2.4" + } + ], + "timeRestore": false, + "title": "[Auditbeat File Integrity] Overview", + "version": 1 + }, + "id": "AV0tXkjYg1PYniApZbKP", + "type": "dashboard", + "updated_at": "2018-01-22T15:54:25.278Z", + "version": 6 + } + ], + "version": "6.1.2" +} \ No newline at end of file