From e3c9257c6f9c07484ef268c82354deb0baf1a3a0 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Mon, 30 Aug 2021 19:07:25 +0200
Subject: [PATCH] Filebeat auditd: Fix Top Exec Commands dashboard
 visualization (#27638) (#27646)

This visualization was expecting an uppercase EXECVE value in
event.action while the ingest pipeline was lowercasing this value.

(cherry picked from commit 9b574ef776ee40f421d8792b132774bf381db96c)
---
 CHANGELOG.next.asciidoc                                         | 1 +
 .../module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.json | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 806b7d8505ca..6df90531c0c0 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -174,6 +174,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix s3 input when there is a blank line in the log file. {pull}25357[25357]
 - Fixes the Snyk module to work with the new API changes. {pull}27358[27358]
 - Fixes a bug in `http_endpoint` that caused numbers encoded as strings. {issue}27382[27382] {pull}27480[27480]
+- Auditd: Fix Top Exec Commands dashboard visualization. {pull}27638[27638]
 
 *Heartbeat*
 
diff --git a/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.json b/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.json
index e45db5bb3341..03f5824a50c0 100644
--- a/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.json
+++ b/filebeat/module/auditd/_meta/kibana/7/dashboard/Filebeat-auditd.json
@@ -62,7 +62,7 @@
                         "index": "filebeat-*", 
                         "query": {
                             "language": "kuery",
-                                "query": "event.action:EXECVE"
+                                "query": "event.action:execve"
                             }
                     }
                 },