diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 657381a9536..f49f40f9433 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -447,6 +447,7 @@ /packages/universal_profiling_symbolizer @elastic/obs-ds-intake-services /packages/varonis @elastic/security-service-integrations /packages/vectra_detect @elastic/security-service-integrations +/packages/vectra_rux @elastic/security-service-integrations /packages/vsphere @elastic/obs-infraobs-integrations /packages/websocket @elastic/security-service-integrations /packages/watchguard_firebox @elastic/sec-deployment-and-devices diff --git a/packages/vectra_rux/_dev/build/build.yml b/packages/vectra_rux/_dev/build/build.yml new file mode 100644 index 00000000000..97fc8aa10cd --- /dev/null +++ b/packages/vectra_rux/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.17.0 diff --git a/packages/vectra_rux/_dev/build/docs/README.md b/packages/vectra_rux/_dev/build/docs/README.md new file mode 100644 index 00000000000..bc0ba8a9869 --- /dev/null +++ b/packages/vectra_rux/_dev/build/docs/README.md @@ -0,0 +1,117 @@ +# Vectra RUX + +## Overview + +[Vectra AI](https://www.vectra.ai/) is a provider of cybersecurity solutions, including threat detection and response solutions. Vectra AI also provides cloud security, detects ransomware, secures remote workplaces, hunts and investigates threats, and offers investigations, risk and compliance services. + +This integration enables to collect, parse Audit, Detection Event, Entity Event, Health and Lockdown data via [Vectra RUX REST API](https://support.vectra.ai/vectra/article/KB-VS-1835), then visualise the data in Kibana. + +## Data streams + +The Vectra RUX integration collects logs for five types of events. + +**Audit:** Audit allows collecting Audit Log Events, which are recorded whenever a user performs an action on the system. These events are sequential and provide a reliable audit trail of user activity. + +**Detection Event:** Detection Event allows collecting Detection Events, which are generated upon the initial detection and each subsequent update. + +**Entity Event:** Entity Event allows collecting Entity scoring events, which are generated whenever an entity's score changes, such as during initial threat detection, the discovery of additional detections, or updates to existing ones. + +**Health:** Health allows collecting system health data, with API responses that may vary based on product subscriptions such as Network, AWS, or M365. + +**Lockdown:** Lockdown allows collecting entities lockdown status for accounts and hosts type, that are currently in lockdown mode. + +## Requirements + +### Agentless enabled integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent based installation +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). +You can install only one Elastic Agent per host. +Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +## Compatibility + +For Rest API, this module has been tested against the **v3.4** version. + +## Setup + +### To collect data from the Vectra RUX API: + +1. Navigate to **Manage > API Clients** in Vectra Console. +2. Click on **Add API Client**. +3. Add **Client Name**, **Description** and select the appropriate **Role** based on the endpoint, as outlined in the below table: + | Endpoint | Role | + | -----------------------| -------------------| + | Audit | Auditor | + | Detection Event | Read-Only | + | Entity Event | Read-Only | + | Health | Auditor | + | Lockdown | Read-Only | +4. Click **Generate Credentials**. +5. Copy **Client ID** and **Secret Key**. + +For more details, see [Documentation](https://support.vectra.ai/vectra/article/KB-VS-1572). + +### Enabling the integration in Elastic: + +1. In Kibana navigate to Management > Integrations. +2. In "Search for integrations" top bar, search for `Vectra RUX`. +3. Select the "Vectra RUX" integration from the search results. +4. Select "Add Vectra RUX" to add the integration. +5. Add all the required integration configuration parameters, including the URL, Client ID, Client Secret, Interval, and Initial Interval, to enable data collection for REST API input type. +6. Select "Save and continue" to save the integration. + +## Logs reference + +### Audit + +This is the `Audit` dataset. + +#### Example + +{{event "audit"}} + +{{fields "audit"}} + +### Detection Event + +This is the `Detection Event` dataset. + +#### Example + +{{event "detection_event"}} + +{{fields "detection_event"}} + +### Entity Event + +This is the `Entity Event` dataset. + +#### Example + +{{event "entity_event"}} + +{{fields "entity_event"}} + +### Health + +This is the `Health` dataset. + +#### Example + +{{event "health"}} + +{{fields "health"}} + +### Lockdown + +This is the `Lockdown` dataset. + +#### Example + +{{event "lockdown"}} + +{{fields "lockdown"}} \ No newline at end of file diff --git a/packages/vectra_rux/_dev/deploy/docker/docker-compose.yml b/packages/vectra_rux/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..9f134efbb4c --- /dev/null +++ b/packages/vectra_rux/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3.0' +services: + vectra_rux: + image: docker.elastic.co/observability/stream:v0.17.1 + hostname: vectra_rux + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config.yml diff --git a/packages/vectra_rux/_dev/deploy/docker/files/config.yml b/packages/vectra_rux/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..e5b7fc866ff --- /dev/null +++ b/packages/vectra_rux/_dev/deploy/docker/files/config.yml @@ -0,0 +1,804 @@ +rules: + - path: /oauth2/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":1799,"token_type":"bearer"} + - path: /api/v3.4/events/audits + methods: ['GET'] + query_params: + limit: 2 + from: 5 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 5, + "user_id": 5, + "username": "admin", + "user_type": "API_CLIENT", + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "user_role": "Security Analyst", + "version": "2022.0.0", + "source_ip": "89.160.20.156", + "event_timestamp": "2025-02-12T00:00:00.000Z", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "event_data": {}, + "event_object": "account_tags", + "event_action": "updated" + } + ], + "next_checkpoint": 6, + "remaining_count": 0 + } + `}} + - path: /api/v3.4/events/audits + methods: ['GET'] + query_params: + limit: 2 + from: 3 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 3, + "user_id": 3, + "username": "admin", + "user_type": "API_CLIENT", + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "user_role": "Security Analyst", + "version": "2022.0.0", + "source_ip": "89.160.20.156", + "event_timestamp": "2025-02-01T00:00:00.000Z", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "event_data": {}, + "event_object": "account_tags", + "event_action": "updated" + }, + { + "id": 4, + "user_id": 4, + "username": "admin", + "user_type": "API_CLIENT", + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "user_role": "Security Analyst", + "version": "2022.0.0", + "source_ip": "89.160.20.156", + "event_timestamp": "2025-02-08T00:00:00.000Z", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "event_data": {}, + "event_object": "account_tags", + "event_action": "updated" + } + ], + "next_checkpoint": 5, + "remaining_count": 1 + } + `}} + - path: /api/v3.4/events/audits + methods: ['GET'] + query_params: + limit: 2 + from: 0 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 1, + "user_id": 22284, + "username": "john.doe@net.co", + "user_type": "JWT", + "api_client_id": null, + "user_role": "Security Analyst", + "version": "202502.14.0", + "source_ip": "81.2.69.142", + "event_timestamp": "2025-03-03T06:42:20Z", + "message": "Tag testdev has been added to detections with ids [172]", + "result_status": "success", + "event_data": { + "account_note": { + "note_id": "684", + "account_id": "57" + } + }, + "event_object": "detection_tag", + "event_action": "created" + }, + { + "id": 2, + "user_id": 22285, + "username": "john.doe@net.co", + "user_type": "JWT", + "api_client_id": null, + "user_role": "Security Analyst", + "version": "202502.14.0", + "source_ip": "81.2.69.142", + "event_timestamp": "2025-03-04T06:42:20Z", + "message": "Tag testdev has been added to detections with ids [172]", + "result_status": "success", + "event_data": { + "account_note": { + "note_id": "684", + "account_id": "57" + } + }, + "event_object": "detection_tag", + "event_action": "created" + } + ], + "next_checkpoint": 3, + "remaining_count": 3 + } + `}} + - path: /api/v3.4/events/detections + methods: ['GET'] + query_params: + limit: 2 + from: 5 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 5, + "category": "command_and_control", + "threat": 50, + "certainty": 50, + "triaged": false, + "detection_type": "Azure AD Redundant Access Creation", + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959", + "d_type_vname": "Azure AD Redundant Access Creation", + "detection_id": 959, + "detection_href": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "entity_id": 1, + "type": "account", + "entity_href": "https://207031206993.uw2.devportal.vectra.ai/accounts/1", + "entity_uid": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4", + "src_entity": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4", + "event_timestamp": "2022-09-13T16:31:35Z", + "mitre": [ + "T1526" + ], + "detail": {}, + "severity": 5 + } + ], + "next_checkpoint": 6, + "remaining_count": 0 + } + `}} + - path: /api/v3.4/events/detections + methods: ['GET'] + query_params: + limit: 2 + from: 3 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "detection_href": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "detection_id": 32986, + "d_type_vname": "Hidden HTTPS Tunnel", + "entity_id": 976, + "severity": 0, + "id": 3, + "certainty": 0, + "detection_type": "Hidden HTTPS Tunnel", + "event_timestamp": "2024-10-25T10:16:42Z", + "category": "command_and_control", + "triaged": false, + "detail": {}, + "entity_uid": "deltics-1", + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976", + "type": "host", + "threat": 0, + "mitre": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ] + }, + { + "detection_href": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "detection_id": 32986, + "d_type_vname": "Hidden HTTPS Tunnel", + "entity_id": 976, + "severity": 0, + "id": 4, + "certainty": 0, + "detection_type": "Hidden HTTPS Tunnel", + "event_timestamp": "2024-10-26T10:16:42Z", + "category": "command_and_control", + "triaged": false, + "detail": {}, + "entity_uid": "deltics-1", + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976", + "type": "host", + "threat": 0, + "mitre": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ] + } + ], + "next_checkpoint": 5, + "remaining_count": 1 + } + `}} + - path: /api/v3.4/events/detections + methods: ['GET'] + query_params: + limit: 2 + from: 0 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "detection_href": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "detection_id": 32986, + "d_type_vname": "Hidden HTTPS Tunnel", + "entity_id": 976, + "severity": 0, + "id": 1, + "certainty": 0, + "detection_type": "Hidden HTTPS Tunnel", + "event_timestamp": "2024-10-23T10:16:42Z", + "category": "command_and_control", + "triaged": false, + "detail": {}, + "entity_uid": "deltics-1", + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976", + "type": "host", + "threat": 0, + "mitre": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ] + }, + { + "detection_href": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "detection_id": 32986, + "d_type_vname": "Hidden HTTPS Tunnel", + "entity_id": 976, + "severity": 0, + "id": 2, + "certainty": 0, + "detection_type": "Hidden HTTPS Tunnel", + "event_timestamp": "2024-10-24T10:16:42Z", + "category": "command_and_control", + "triaged": false, + "detail": {}, + "entity_uid": "deltics-1", + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976", + "type": "host", + "threat": 0, + "mitre": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ] + } + ], + "next_checkpoint": 3, + "remaining_count": 3 + } + `}} + - path: /api/v3.4/events/entity_scoring + methods: ['GET'] + query_params: + limit: 2 + from: 5 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 5, + "entity_id": 105, + "breadth_contrib": 0, + "importance": 0, + "type": "host", + "is_prioritized": false, + "severity": "Low", + "urgency_reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "urgency_score": 0, + "velocity_contrib": 0, + "event_timestamp": "2022-08-12T00:14:31Z", + "name": "Windows10_Jump", + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "category": "HOST_SCORING", + "last_detection": { + "id": 103, + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "attack_rating": 0, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + } + ], + "next_checkpoint": 6, + "remaining_count": 0 + } + `}} + - path: /api/v3.4/events/entity_scoring + methods: ['GET'] + query_params: + limit: 2 + from: 3 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 3, + "entity_id": 103, + "breadth_contrib": 0, + "importance": 0, + "type": "host", + "is_prioritized": false, + "severity": "Low", + "urgency_reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "urgency_score": 0, + "velocity_contrib": 0, + "event_timestamp": "2022-07-09T00:14:31Z", + "name": "piper-desktop", + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "category": "HOST_SCORING", + "last_detection": { + "id": 103, + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "attack_rating": 0, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + }, + { + "id": 4, + "entity_id": 104, + "breadth_contrib": 0, + "importance": 0, + "type": "host", + "is_prioritized": false, + "severity": "Low", + "urgency_reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "urgency_score": 0, + "velocity_contrib": 0, + "event_timestamp": "2022-07-10T00:14:31Z", + "name": "piper-desktop", + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "category": "HOST_SCORING", + "last_detection": { + "id": 103, + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "attack_rating": 0, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + } + ], + "next_checkpoint": 5, + "remaining_count": 1 + } + `}} + - path: /api/v3.4/events/entity_scoring + methods: ['GET'] + query_params: + limit: 2 + from: 0 + event_timestamp_gte: "{event_timestamp_gte:.*}" + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "events": [ + { + "id": 1, + "entity_id": 100, + "breadth_contrib": 0, + "importance": 0, + "type": "host", + "is_prioritized": false, + "severity": "Low", + "urgency_reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "urgency_score": 0, + "velocity_contrib": 0, + "event_timestamp": "2022-07-07T00:14:31Z", + "name": "piper-desktop", + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "category": "HOST_SCORING", + "last_detection": { + "id": 103, + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "attack_rating": 0, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + }, + { + "id": 2, + "entity_id": 101, + "breadth_contrib": 0, + "importance": 0, + "type": "host", + "is_prioritized": false, + "severity": "Low", + "urgency_reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "urgency_score": 0, + "velocity_contrib": 0, + "event_timestamp": "2022-07-08T00:14:31Z", + "name": "piper-desktop", + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "category": "HOST_SCORING", + "last_detection": { + "id": 103, + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "attack_rating": 0, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + } + ], + "next_checkpoint": 3, + "remaining_count": 3 + } + `}} + - path: /api/v3.4/health + methods: ['GET'] + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "memory": { + "usage_percent": 47, + "free_bytes": 5597118464, + "used_bytes": 33078743040, + "total_bytes": 67444477952, + "updated_at": "2025-04-18 07:17:35+00:00" + }, + "trafficdrop": { + "sensors": [ + { + "name": "EDR Sensor", + "error": "All interfaces have traffic volume within range", + "status": "OK", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "ip_address": "1.128.0.0" + }, + { + "name": "XDR Sensor", + "error": "Interface have traffic volume within range", + "status": "OK", + "serial_number": "1421353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "ip_address": "1.128.0.11" + } + ], + "updated_at": "2025-04-18 07:17:35+00:00" + }, + "cpu": { + "user_percent": 30, + "nice_percent": 0, + "system_percent": 24.9, + "idle_percent": 43.9, + "updated_at": "2025-04-18 07:17:35+00:00" + }, + "hostid": { + "artifact_counts": { + "TestEDR": 0, + "arsenic": 0, + "carbon_black": 0, + "cb_cloud": 0, + "clear_state": 0, + "cookie": 0, + "crowdstrike": 0, + "cybereason": 0, + "dhcp": 6606, + "dns": 27818, + "end_time": 0, + "fireeye": 0, + "generic_edr": 0, + "idle_end": 27818, + "idle_start": 27936, + "invalid": 0, + "kerberos": 209, + "kerberos_user": 0, + "mdns": 18575, + "netbios": 15596, + "proxy_ip": 0, + "rdns": 0, + "sentinelone": 0, + "split": 0, + "src_port": 0, + "static_ip": 0, + "total": 134681, + "uagent": 10122, + "vmachine_info": 0, + "windows_defender": 1, + "zpa_user": 0 + }, + "ip_always_percent": 18.52, + "ip_sometimes_percent": 2.47, + "ip_never_percent": 79.01, + "updated_at": "2025-04-18 07:17:35+00:00" + }, + "network": { + "updated_at": "2025-04-18 07:17:34+00:00", + "vlans": { + "vlan_ids": [ + "7", + "8" + ], + "count": 1 + } + }, + "disk": { + "degraded_raid_volume": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_raid": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_utilization": { + "free_bytes": 10000109, + "total_bytes": 67444477952, + "usage_percent": 47, + "used_bytes": 33078743040 + }, + "raid_disks_missing": { + "error": "error", + "output": "output", + "status": "OK" + }, + "updated_at": "2025-04-18 07:17:34+00:00" + }, + "power": { + "status": "SKIP", + "error": "Power check for this device is not supported", + "updated_at": "2025-04-18 07:17:35+00:00" + }, + "system": { + "uptime": "261 days, 13 hours, 33 minutes", + "serial_number": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "version": { + "last_update": "Wed Apr 9 02:03:16 2025", + "last_update_utc": "2025-04-09T02:03:16+00:00", + "model": "VHE", + "mode": "brain", + "cloud_bridge": true, + "gmt": "2025-04-18T07:14:09.593927Z", + "vm_type": "vmware", + "vectra_instance_type": "medium", + "vectra_version": "9.0.3-2-62" + }, + "updated_at": "2025-04-18 07:17:33+00:00" + }, + "sensors": [ + { + "id": 3, + "location": "hyp-2-37", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "status": "paired", + "version": "9.0.3-1-62", + "ip_address": "175.16.199.0", + "ssh_tunnel_port": "38113", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "product_name": "DCS", + "mode": "sensor", + "headend_uri": "175.16.199.24", + "original_version": "7.9.0-17-38", + "last_seen": "2025-04-18T07:15:37.685Z", + "update_count": 0, + "name": "EDR Sensor" + }, + { + "id": 2, + "location": "hyp-2-35", + "serial_number": "12421353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "status": "paired", + "version": "9.0.3-1-62", + "ip_address": "175.16.199.0", + "ssh_tunnel_port": "38113", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "product_name": "DCS", + "mode": "sensor", + "headend_uri": "175.16.199.24", + "original_version": "7.9.0-17-38", + "last_seen": "2025-04-18T07:15:37.685Z", + "update_count": 0, + "name": "XDR Sensor" + }, + { + "id": 1, + "location": "hyp-2-30", + "serial_number": "V4121353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "status": "paired", + "version": "9.0.3-1-62", + "ip_address": "175.16.199.0", + "ssh_tunnel_port": "38113", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "product_name": "DCS", + "mode": "sensor", + "headend_uri": "http://headend_uri/", + "original_version": "7.9.0-17-38", + "last_seen": "2025-04-18T07:15:37.685Z", + "update_count": 0, + "name": "DR Sensor" + } + ], + "detection": { + "updated_at": "2025-04-18 07:17:33+00:00", + "name": "Detection 1", + "detection_type": "AWS", + "message": "This is detection message", + "status": "OK" + }, + "event_timestamp": "2025-04-15T09:39:45.146Z", + "connectivity": { + "sensors": [ + { + "name": "EDR Sensor", + "error": "metadata replication seems fine", + "status": "OK", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "ip_address": "216.160.83.56", + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ] + }, + { + "name": "XDR Sensor", + "error": "metadata replication seems fine", + "status": "OK", + "serial_number": "V423ef386550fb2f9a959fa3f52aee", + "luid": "w4ftj0a8", + "ip_address": "81.2.69.142", + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ] + } + ], + "updated_at": "2025-04-18 07:17:35+00:00" + } + } + `}} + - path: /api/v3.4/lockdown + methods: ['GET'] + request_headers: + Authorization: + - 'Bearer xxxx' + responses: + - status_code: 200 + body: | + {{ minify_json ` + [ + { + "id": 1, + "type": "host", + "entity_id": 1184, + "entity_name": "Windows10_Jump", + "lock_event_timestamp": "2023-03-06T22:30:06Z", + "locked_by": "vadmin", + "certainty": 0, + "unlock_event_timestamp": "2023-04-07T23:50:00Z" + } + ] + `}} diff --git a/packages/vectra_rux/changelog.yml b/packages/vectra_rux/changelog.yml new file mode 100644 index 00000000000..b0e32490e02 --- /dev/null +++ b/packages/vectra_rux/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/13646 diff --git a/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log new file mode 100644 index 00000000000..4158816e60c --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -0,0 +1,2 @@ +{"id":212,"user_id":1,"username":"admin","user_type":"API_CLIENT","api_client_id":"0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b","user_role":"Security Analyst","version":"2022.0.0","source_ip":"89.160.20.156","event_timestamp":"2025-01-01T00:00:00.000Z","message":"[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']","result_status":"success","event_data":{},"event_object":"account_tags","event_action":"updated"} +{"id":45854,"user_id":22284,"username":"john.doe@net.co","user_type":"JWT","api_client_id":null,"user_role":"Security Analyst","version":"202502.14.0","source_ip":"81.2.69.142","event_timestamp":"2025-03-03T06:42:20Z","message":"Tag testdev has been added to detections with ids [172]","result_status":"success","event_data":{"account_note":{"note_id":"684","account_id":"57"}},"event_object":"detection_tag","event_action":"created"} diff --git a/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json new file mode 100644 index 00000000000..fb69c10da46 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -0,0 +1,171 @@ +{ + "expected": [ + { + "@timestamp": "2025-01-01T00:00:00.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "updated", + "category": [ + "configuration" + ], + "kind": "event", + "original": "{\"id\":212,\"user_id\":1,\"username\":\"admin\",\"user_type\":\"API_CLIENT\",\"api_client_id\":\"0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b\",\"user_role\":\"Security Analyst\",\"version\":\"2022.0.0\",\"source_ip\":\"89.160.20.156\",\"event_timestamp\":\"2025-01-01T00:00:00.000Z\",\"message\":\"[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']\",\"result_status\":\"success\",\"event_data\":{},\"event_object\":\"account_tags\",\"event_action\":\"updated\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "observer": { + "product": "Vectra RUX", + "version": "2022.0.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "1", + "admin" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "1", + "name": "admin", + "roles": [ + "Security Analyst" + ] + }, + "vectra_rux": { + "audit": { + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "event": { + "action": "updated", + "object": "account_tags", + "timestamp": "2025-01-01T00:00:00.000Z" + }, + "id": "212", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "source_ip": "89.160.20.156", + "user": { + "id": "1", + "name": "admin", + "role": "Security Analyst", + "type": "API_CLIENT" + }, + "version": "2022.0.0" + } + } + }, + { + "@timestamp": "2025-03-03T06:42:20.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "created", + "category": [ + "configuration" + ], + "kind": "event", + "original": "{\"id\":45854,\"user_id\":22284,\"username\":\"john.doe@net.co\",\"user_type\":\"JWT\",\"api_client_id\":null,\"user_role\":\"Security Analyst\",\"version\":\"202502.14.0\",\"source_ip\":\"81.2.69.142\",\"event_timestamp\":\"2025-03-03T06:42:20Z\",\"message\":\"Tag testdev has been added to detections with ids [172]\",\"result_status\":\"success\",\"event_data\":{\"account_note\":{\"note_id\":\"684\",\"account_id\":\"57\"}},\"event_object\":\"detection_tag\",\"event_action\":\"created\"}", + "outcome": "success", + "type": [ + "creation" + ] + }, + "message": "Tag testdev has been added to detections with ids [172]", + "observer": { + "product": "Vectra RUX", + "version": "202502.14.0" + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "22284", + "john.doe@net.co" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "22284", + "name": "john.doe@net.co", + "roles": [ + "Security Analyst" + ] + }, + "vectra_rux": { + "audit": { + "event": { + "action": "created", + "data": { + "account_note": { + "account_id": "57", + "note_id": "684" + } + }, + "object": "detection_tag", + "timestamp": "2025-03-03T06:42:20.000Z" + }, + "id": "45854", + "message": "Tag testdev has been added to detections with ids [172]", + "result_status": "success", + "source_ip": "81.2.69.142", + "user": { + "id": "22284", + "name": "john.doe@net.co", + "role": "Security Analyst", + "type": "JWT" + }, + "version": "202502.14.0" + } + } + } + ] +} diff --git a/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/vectra_rux/data_stream/audit/_dev/test/system/test-common-config.yml b/packages/vectra_rux/data_stream/audit/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..e680d1f658f --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/_dev/test/system/test-common-config.yml @@ -0,0 +1,14 @@ +input: cel +service: vectra_rux +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx +data_stream: + vars: + interval: 10s + preserve_original_event: true + preserve_duplicate_custom_fields: true + batch_size: 2 +assert: + hit_count: 5 diff --git a/packages/vectra_rux/data_stream/audit/agent/stream/cel.yml.hbs b/packages/vectra_rux/data_stream/audit/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..80171b34eb8 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/agent/stream/cel.yml.hbs @@ -0,0 +1,89 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{url}}/oauth2/token +state: + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} + version: v3.4 +redact: + fields: ~ +program: | + ( + state.?want_more.orValue(false) ? + state.start_time + : + state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)) + ).as(start_time, state.with( + request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/events/audits?" + { + "from": [string(state.?from.orValue(0))], + "limit": [string(state.batch_size)], + "event_timestamp_gte": [start_time], + }.format_query()).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, { + "events": body.events.map(e, { + "message": e.encode_json(), + }), + "want_more": int(body.remaining_count) > 0, + "from": int(body.next_checkpoint), + "start_time": start_time, + "cursor": { + ?"last_timestamp": (has(body.events) && size(body.events) > 0) ? + optional.of(body.events[size(body.events) - 1].event_timestamp) + : + state.?cursor.last_timestamp + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/events/audits: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/vectra_rux/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_rux/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..5611d2975c5 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,380 @@ +--- +description: Pipeline for processing audit logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind + value: event + - set: + field: observer.product + tag: set_observer_product + value: Vectra RUX + - append: + field: event.category + tag: append_category_session + value: session + allow_duplicates: false + if: ctx.json?.event_action?.contains('logout') == true + - append: + field: event.category + tag: append_category_authentication + value: authentication + allow_duplicates: false + if: ctx.json?.event_action?.contains('login') == true + - append: + field: event.category + tag: append_category_configuration + value: configuration + allow_duplicates: false + if: >- + ctx.json?.event_action?.contains('created') == true || + ctx.json?.event_action?.contains('deleted') == true || + ctx.json?.event_action?.contains('updated') == true || + ctx.json?.event_action?.contains('lock') == true || + ctx.json?.event_action?.contains('unlock') == true || + ctx.json?.event_action?.contains('marked_as_fixed') == true || + ctx.json?.event_action?.contains('unmarked_as_fixed') == true + - append: + field: event.category + tag: append_category_access + value: access + allow_duplicates: false + if: >- + ctx.json?.event_action?.contains('lock') == true || + ctx.json?.event_action?.contains('unlock') == true + - append: + field: event.type + tag: append_type_change + value: change + allow_duplicates: false + if: >- + ctx.json?.event_action?.contains('updated') == true || + ctx.json?.event_action?.contains('marked_as_fixed') == true || + ctx.json?.event_action?.contains('unmarked_as_fixed') == true + - append: + field: event.type + tag: append_type_creation + value: creation + allow_duplicates: false + if: ctx.json?.event_action?.contains('created') == true + - append: + field: event.type + tag: append_type_deletion + value: deletion + allow_duplicates: false + if: ctx.json?.event_action?.contains('deleted') == true + - rename: + field: json.api_client_id + tag: rename_api_client_id + target_field: vectra_rux.audit.api_client_id + ignore_missing: true + - rename: + field: json.event_action + tag: rename_event_action + target_field: vectra_rux.audit.event.action + ignore_missing: true + - set: + field: event.action + tag: set_event_action_from_audit_event_action + copy_from: vectra_rux.audit.event.action + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - split: + field: event.action + tag: split_event_action + separator: \s+ + ignore_missing: true + if: ctx.event?.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - join: + field: event.action + tag: join_event_action + separator: '-' + if: ctx.event?.action != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.event_data + tag: rename_event_data + target_field: vectra_rux.audit.event.data + ignore_missing: true + - rename: + field: json.event_object + tag: rename_event_object + target_field: vectra_rux.audit.event.object + ignore_missing: true + - date: + field: json.event_timestamp + tag: date_event_timestamp + target_field: vectra_rux.audit.event.timestamp + formats: + - ISO8601 + if: ctx.json?.event_timestamp != null && ctx.json.event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_audit_event_timestamp + copy_from: vectra_rux.audit.event.timestamp + ignore_empty_value: true + - convert: + field: json.id + tag: convert_id + type: string + target_field: vectra_rux.audit.id + ignore_missing: true + - rename: + field: json.message + tag: rename_message + target_field: vectra_rux.audit.message + ignore_missing: true + - set: + field: message + tag: set_message_from_audit_message + copy_from: vectra_rux.audit.message + ignore_empty_value: true + - rename: + field: json.result_status + tag: rename_result_status + target_field: vectra_rux.audit.result_status + ignore_missing: true + - set: + field: event.outcome + tag: set_event_outcome_from_audit_result_status + copy_from: vectra_rux.audit.result_status + ignore_empty_value: true + - convert: + field: json.source_ip + tag: convert_source_ip_to_ip + target_field: vectra_rux.audit.source_ip + type: ip + ignore_missing: true + if: ctx.json?.source_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_audit_source_ip + copy_from: vectra_rux.audit.source_ip + ignore_empty_value: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + tag: rename_source_as_asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + tag: rename_source_as_organization_name + target_field: source.as.organization.name + ignore_missing: true + - append: + field: related.ip + tag: append_vectra_rux_audit_source_ip_into_related_ip + value: '{{{vectra_rux.audit.source_ip}}}' + allow_duplicates: false + if: ctx.vectra_rux?.audit?.source_ip != null + - convert: + field: json.user_id + tag: convert_user_id_to_string + type: string + target_field: vectra_rux.audit.user.id + ignore_missing: true + - set: + field: user.id + tag: set_user_id_from_audit_user_id + copy_from: vectra_rux.audit.user.id + ignore_empty_value: true + - append: + field: related.user + tag: append_vectra_rux_audit_user_id_into_related_user + value: '{{{vectra_rux.audit.user.id}}}' + allow_duplicates: false + if: ctx.vectra_rux?.audit?.user?.id != null + - rename: + field: json.username + tag: rename_username + target_field: vectra_rux.audit.user.name + ignore_missing: true + - set: + field: user.name + tag: set_user_name_from_audit_user_name + copy_from: vectra_rux.audit.user.name + ignore_empty_value: true + - append: + field: related.user + tag: append_vectra_rux_audit_user_name_into_related_user + value: '{{{vectra_rux.audit.user.name}}}' + allow_duplicates: false + if: ctx.vectra_rux?.audit?.user?.name != null + - rename: + field: json.user_role + tag: rename_user_role + target_field: vectra_rux.audit.user.role + ignore_missing: true + - append: + field: user.roles + tag: append_vectra_rux_audit_user_role_into_user_roles + value: '{{{vectra_rux.audit.user.role}}}' + allow_duplicates: false + if: ctx.vectra_rux?.audit?.user?.role != null + - rename: + field: json.role + tag: rename_role + target_field: vectra_rux.audit.role + ignore_missing: true + - rename: + field: json.user_type + tag: rename_user_type + target_field: vectra_rux.audit.user.type + ignore_missing: true + - rename: + field: json.version + tag: rename_version + target_field: vectra_rux.audit.version + ignore_missing: true + - set: + field: observer.version + tag: set_observer_version_from_audit_version + copy_from: vectra_rux.audit.version + ignore_empty_value: true + - remove: + field: + - vectra_rux.audit.event.timestamp + - vectra_rux.audit.message + - vectra_rux.audit.result_status + - vectra_rux.audit.source_ip + - vectra_rux.audit.user.id + - vectra_rux.audit.user.name + - vectra_rux.audit.user.role + - vectra_rux.audit.version + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_truncate_long_fields + lang: painless + description: Truncate fields that are over length. + source: |- + def filterMassive(def src) { + if (src instanceof Map) { + for (def entry: src.entrySet()) { + entry.setValue(filterMassive(entry.getValue())); + } + return src; + } else if (src instanceof List) { + for (int i = 0; i < src.length; i++) { + src[i] = filterMassive(src[i]); + } + return src; + } else if (src instanceof String && src.length() > 32766) { + return src.substring(0, 32700)+' (truncated)'; + } + return src; + } + filterMassive(ctx); + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/vectra_rux/data_stream/audit/fields/base-fields.yml b/packages/vectra_rux/data_stream/audit/fields/base-fields.yml new file mode 100644 index 00000000000..e78d38a560b --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: vectra_rux +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: vectra_rux.audit +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/vectra_rux/data_stream/audit/fields/beats.yml b/packages/vectra_rux/data_stream/audit/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/vectra_rux/data_stream/audit/fields/ecs.yml b/packages/vectra_rux/data_stream/audit/fields/ecs.yml new file mode 100644 index 00000000000..cba7d8cdb84 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/fields/ecs.yml @@ -0,0 +1,4 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + value: Vectra diff --git a/packages/vectra_rux/data_stream/audit/fields/fields.yml b/packages/vectra_rux/data_stream/audit/fields/fields.yml new file mode 100644 index 00000000000..9b822c538fe --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/fields/fields.yml @@ -0,0 +1,54 @@ +- name: vectra_rux + type: group + fields: + - name: audit + type: group + fields: + - name: api_client_id + type: keyword + description: API client ID, if an event was caused by an API client interaction. + - name: event + type: group + fields: + - name: data + type: flattened + description: JSON data specific to the event type. + - name: action + type: keyword + description: What type of action is being audited. + - name: object + type: keyword + description: The object type the audited action is being performed on. + - name: timestamp + type: date + description: Event timestamp (UTC) in ISO-8601 format. + - name: id + type: keyword + description: Auto incrementing ID. + - name: message + type: keyword + description: Message describing the event. + - name: result_status + type: keyword + description: Result status of the event. "success" or "failure". + - name: source_ip + type: ip + description: IP address of the user/API client. + - name: user + type: group + fields: + - name: id + type: keyword + description: User ID of the user account associated with the event. + - name: role + type: keyword + description: Role the user/API client had at the time of the event. + - name: type + type: keyword + description: User type. + - name: name + type: keyword + description: Username of the account associated with the event, at the time of the event. + - name: version + type: keyword + description: Vectra UI version at the time of the event. diff --git a/packages/vectra_rux/data_stream/audit/manifest.yml b/packages/vectra_rux/data_stream/audit/manifest.yml new file mode 100644 index 00000000000..517eb895291 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/manifest.yml @@ -0,0 +1,82 @@ +title: Collect Audit logs from Vectra RUX +type: logs +streams: + - input: cel + title: Audit logs + description: Collect Audit logs from Vectra RUX. + template_path: cel.yml.hbs + enabled: true + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Audit logs from Vectra RUX API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + description: Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Vectra RUX API. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + default: false + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve vectra_rux.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - vectra_rux-audit + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/vectra_rux/data_stream/audit/sample_event.json b/packages/vectra_rux/data_stream/audit/sample_event.json new file mode 100644 index 00000000000..4b3e44e4502 --- /dev/null +++ b/packages/vectra_rux/data_stream/audit/sample_event.json @@ -0,0 +1,110 @@ +{ + "@timestamp": "2025-02-01T00:00:00.000Z", + "agent": { + "ephemeral_id": "2ad22f71-fc0e-431f-ac9b-5cce9186e1ef", + "id": "22610512-ee45-4ec8-8a19-124542ad0a82", + "name": "elastic-agent-97577", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.audit", + "namespace": "34718", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "22610512-ee45-4ec8-8a19-124542ad0a82", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "action": "updated", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "vectra_rux.audit", + "ingested": "2025-05-08T05:10:37Z", + "kind": "event", + "original": "{\"api_client_id\":\"0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b\",\"event_action\":\"updated\",\"event_data\":{},\"event_object\":\"account_tags\",\"event_timestamp\":\"2025-02-01T00:00:00.000Z\",\"id\":3,\"message\":\"[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']\",\"result_status\":\"success\",\"source_ip\":\"89.160.20.156\",\"user_id\":3,\"user_role\":\"Security Analyst\",\"user_type\":\"API_CLIENT\",\"username\":\"admin\",\"version\":\"2022.0.0\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "input": { + "type": "cel" + }, + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "observer": { + "product": "Vectra RUX", + "version": "2022.0.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "3", + "admin" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-audit" + ], + "user": { + "id": "3", + "name": "admin", + "roles": [ + "Security Analyst" + ] + }, + "vectra_rux": { + "audit": { + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "event": { + "action": "updated", + "object": "account_tags", + "timestamp": "2025-02-01T00:00:00.000Z" + }, + "id": "3", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "source_ip": "89.160.20.156", + "user": { + "id": "3", + "name": "admin", + "role": "Security Analyst", + "type": "API_CLIENT" + }, + "version": "2022.0.0" + } + } +} diff --git a/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-common-config.yml b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log new file mode 100644 index 00000000000..e05440d8ff3 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log @@ -0,0 +1,2 @@ +{"id":28538,"category":"command_and_control","threat":50,"certainty":50,"triaged":false,"detection_type":"Azure AD Redundant Access Creation","url":"https://207031206993.uw2.devportal.vectra.ai/detections/959","d_type_vname":"Azure AD Redundant Access Creation","detection_id":959,"detection_href":"https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341","entity_id":1,"type":"account","entity_href":"https://207031206993.uw2.devportal.vectra.ai/accounts/1","entity_uid":"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4","src_entity":"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4","event_timestamp":"2022-09-12T16:31:35Z","mitre":["T1526"],"detail":{},"severity":5} +{"detection_href":"https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603","detection_id":32986,"d_type_vname":"Hidden HTTPS Tunnel","entity_id":976,"severity":0,"id":98064,"certainty":0,"detection_type":"Hidden HTTPS Tunnel","event_timestamp":"2024-10-23T10:16:42Z","category":"command_and_control","triaged":false,"detail":{},"entity_uid":"deltics-1","url":"https://123589577.cc1.portal.vectra.ai/hosts/976","type":"host","threat":0,"mitre":["T1043","T1094","T1024","T1132","T1001","T1008","T1071","T1032","T1105","T1108"]} diff --git a/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log-expected.json b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log-expected.json new file mode 100644 index 00000000000..dd397585b7f --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/_dev/test/pipeline/test-detection-event.log-expected.json @@ -0,0 +1,201 @@ +{ + "expected": [ + { + "@timestamp": "2022-09-12T16:31:35.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "959", + "kind": "alert", + "original": "{\"id\":28538,\"category\":\"command_and_control\",\"threat\":50,\"certainty\":50,\"triaged\":false,\"detection_type\":\"Azure AD Redundant Access Creation\",\"url\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959\",\"d_type_vname\":\"Azure AD Redundant Access Creation\",\"detection_id\":959,\"detection_href\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341\",\"entity_id\":1,\"type\":\"account\",\"entity_href\":\"https://207031206993.uw2.devportal.vectra.ai/accounts/1\",\"entity_uid\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"src_entity\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"event_timestamp\":\"2022-09-12T16:31:35Z\",\"mitre\":[\"T1526\"],\"detail\":{},\"severity\":5}", + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "severity": 5, + "type": [ + "indicator" + ], + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "user": [ + "1" + ] + }, + "rule": { + "name": "Azure AD Redundant Access Creation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341" + }, + "tactic": { + "name": [ + "command_and_control" + ] + }, + "technique": { + "id": [ + "T1526" + ] + } + }, + "url": { + "domain": "207031206993.uw2.devportal.vectra.ai", + "original": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "path": "/detections/959", + "query": "detail_id=94341", + "scheme": "https" + }, + "user": { + "id": "1", + "risk": { + "calculated_score": 50 + } + }, + "vectra_rux": { + "detection_event": { + "category": "command_and_control", + "certainty": 50, + "d_type_vname": "Azure AD Redundant Access Creation", + "detection": { + "href": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "id": "959", + "type": "Azure AD Redundant Access Creation" + }, + "entity": { + "id": "1", + "uid": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4" + }, + "event_timestamp": "2022-09-12T16:31:35.000Z", + "id": "28538", + "mitre": [ + "T1526" + ], + "severity": 5, + "src_entity": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4", + "threat": 50, + "triaged": false, + "type": "account", + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + } + } + }, + { + "@timestamp": "2024-10-23T10:16:42.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "host", + "threat" + ], + "id": "32986", + "kind": "alert", + "original": "{\"detection_href\":\"https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603\",\"detection_id\":32986,\"d_type_vname\":\"Hidden HTTPS Tunnel\",\"entity_id\":976,\"severity\":0,\"id\":98064,\"certainty\":0,\"detection_type\":\"Hidden HTTPS Tunnel\",\"event_timestamp\":\"2024-10-23T10:16:42Z\",\"category\":\"command_and_control\",\"triaged\":false,\"detail\":{},\"entity_uid\":\"deltics-1\",\"url\":\"https://123589577.cc1.portal.vectra.ai/hosts/976\",\"type\":\"host\",\"threat\":0,\"mitre\":[\"T1043\",\"T1094\",\"T1024\",\"T1132\",\"T1001\",\"T1008\",\"T1071\",\"T1032\",\"T1105\",\"T1108\"]}", + "reference": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "severity": 0, + "type": [ + "info", + "indicator" + ], + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976" + }, + "host": { + "id": "976", + "risk": { + "calculated_score": 0 + } + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "976" + ] + }, + "rule": { + "name": "Hidden HTTPS Tunnel" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "reference": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603" + }, + "tactic": { + "name": [ + "command_and_control" + ] + }, + "technique": { + "id": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ] + } + }, + "url": { + "domain": "123589577.cc1.portal.vectra.ai", + "original": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "path": "/detections/32986", + "query": "detail_id=99603", + "scheme": "https" + }, + "vectra_rux": { + "detection_event": { + "category": "command_and_control", + "certainty": 0, + "d_type_vname": "Hidden HTTPS Tunnel", + "detection": { + "href": "https://123589577.cc1.portal.vectra.ai/detections/32986?detail_id=99603", + "id": "32986", + "type": "Hidden HTTPS Tunnel" + }, + "entity": { + "id": "976", + "uid": "deltics-1" + }, + "event_timestamp": "2024-10-23T10:16:42.000Z", + "id": "98064", + "mitre": [ + "T1043", + "T1094", + "T1024", + "T1132", + "T1001", + "T1008", + "T1071", + "T1032", + "T1105", + "T1108" + ], + "severity": 0, + "threat": 0, + "triaged": false, + "type": "host", + "url": "https://123589577.cc1.portal.vectra.ai/hosts/976" + } + } + } + ] +} diff --git a/packages/vectra_rux/data_stream/detection_event/_dev/test/system/test-common-config.yml b/packages/vectra_rux/data_stream/detection_event/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..e680d1f658f --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/_dev/test/system/test-common-config.yml @@ -0,0 +1,14 @@ +input: cel +service: vectra_rux +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx +data_stream: + vars: + interval: 10s + preserve_original_event: true + preserve_duplicate_custom_fields: true + batch_size: 2 +assert: + hit_count: 5 diff --git a/packages/vectra_rux/data_stream/detection_event/agent/stream/cel.yml.hbs b/packages/vectra_rux/data_stream/detection_event/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..13a9abf733a --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/agent/stream/cel.yml.hbs @@ -0,0 +1,89 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{url}}/oauth2/token +state: + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} + version: v3.4 +redact: + fields: ~ +program: | + ( + state.?want_more.orValue(false) ? + state.start_time + : + state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)) + ).as(start_time, state.with( + request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/events/detections?" + { + "from": [string(state.?from.orValue(0))], + "limit": [string(state.batch_size)], + "event_timestamp_gte": [start_time], + }.format_query()).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, { + "events": body.events.map(e, { + "message": e.encode_json(), + }), + "want_more": int(body.remaining_count) > 0, + "start_time": start_time, + "from": int(body.next_checkpoint), + "cursor": { + ?"last_timestamp": (has(body.events) && size(body.events) > 0) ? + optional.of(body.events[size(body.events) - 1].event_timestamp) + : + state.?cursor.last_timestamp + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/events/detections: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/vectra_rux/data_stream/detection_event/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_rux/data_stream/detection_event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..dc039aceb88 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,335 @@ +--- +description: Pipeline for processing detection event logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind + value: alert + - set: + field: observer.product + tag: set_observer_product + value: Vectra RUX + - append: + field: event.category + tag: set_event_category_host + value: host + if: ctx.json?.type == 'host' + - append: + field: event.type + tag: set_event_type_info + value: info + if: ctx.json?.type == 'host' + - append: + field: event.category + tag: set_event_category_threat + value: threat + - append: + field: event.type + tag: set_event_type_indicator + value: indicator + - rename: + field: json.category + tag: rename_category + target_field: vectra_rux.detection_event.category + ignore_missing: true + - append: + field: threat.tactic.name + tag: append_detection_event_category_into_threat_tactic_name + value: '{{{vectra_rux.detection_event.category}}}' + allow_duplicates: false + if: ctx.vectra_rux?.detection_event?.category != null + - convert: + field: json.certainty + tag: convert_certainty_to_long + target_field: vectra_rux.detection_event.certainty + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.d_type_vname + tag: rename_d_type_vname + target_field: vectra_rux.detection_event.d_type_vname + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name_from_detection_event_d_type_vname + copy_from: vectra_rux.detection_event.d_type_vname + ignore_empty_value: true + - rename: + field: json.detail + tag: rename_detail + target_field: vectra_rux.detection_event.detail + ignore_missing: true + - rename: + field: json.detection_href + tag: rename_detection_href + target_field: vectra_rux.detection_event.detection.href + ignore_missing: true + - set: + field: event.reference + tag: set_event_reference_from_detection_event_detection_href + copy_from: vectra_rux.detection_event.detection.href + ignore_empty_value: true + - set: + field: threat.indicator.reference + tag: set_threat_indicator_reference_from_detection_event_detection_href + copy_from: vectra_rux.detection_event.detection.href + ignore_empty_value: true + - uri_parts: + field: event.reference + tag: uri_parts_event_reference + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.detection_id + tag: convert_detection_id_to_string + target_field: vectra_rux.detection_event.detection.id + type: string + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_detection_event_detection_id + copy_from: vectra_rux.detection_event.detection.id + ignore_empty_value: true + - rename: + field: json.detection_type + tag: rename_detection_type + target_field: vectra_rux.detection_event.detection.type + ignore_missing: true + - convert: + field: json.entity_id + tag: convert_entity_id_to_string + target_field: vectra_rux.detection_event.entity.id + type: string + ignore_missing: true + - set: + field: user.id + tag: set_user_id_from_detection_event_entity_id + copy_from: vectra_rux.detection_event.entity.id + ignore_empty_value: true + if: ctx.json?.type == 'account' + - append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null + - set: + field: host.id + tag: set_host_id_from_detection_event_entity_id + copy_from: vectra_rux.detection_event.entity.id + ignore_empty_value: true + if: ctx.json?.type == 'host' + - append: + field: related.hosts + tag: append_host_id_into_related_hosts + value: '{{{host.id}}}' + allow_duplicates: false + if: ctx.host?.id != null + - rename: + field: json.entity_uid + tag: rename_entity_uid + target_field: vectra_rux.detection_event.entity.uid + ignore_missing: true + - date: + field: json.event_timestamp + tag: date_event_timestamp + target_field: vectra_rux.detection_event.event_timestamp + formats: + - ISO8601 + if: ctx.json?.event_timestamp != null && ctx.json.event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_detection_event_event_timestamp + copy_from: vectra_rux.detection_event.event_timestamp + ignore_empty_value: true + - convert: + field: json.id + tag: convert_id_to_string + target_field: vectra_rux.detection_event.id + type: string + ignore_missing: true + - rename: + field: json.mitre + tag: rename_mitre + target_field: vectra_rux.detection_event.mitre + ignore_missing: true + - foreach: + field: vectra_rux.detection_event.mitre + if: ctx.vectra_rux?.detection_event?.mitre instanceof List + ignore_failure: true + processor: + append: + field: threat.technique.id + value: '{{{_ingest._value}}}' + tag: append_vectra_rux_detection_event_mitre_into_threat_technique_id + allow_duplicates: false + - convert: + field: json.severity + tag: convert_severity_to_long + target_field: vectra_rux.detection_event.severity + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.severity + tag: set_event_severity_from_detection_event_severity + copy_from: vectra_rux.detection_event.severity + ignore_empty_value: true + - rename: + field: json.src_entity + tag: rename_src_entity + target_field: vectra_rux.detection_event.src_entity + ignore_missing: true + - convert: + field: json.threat + tag: convert_threat_to_long + target_field: vectra_rux.detection_event.threat + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: user.risk.calculated_score + tag: set_user_risk_calculated_score_from_detection_event_threat + copy_from: vectra_rux.detection_event.threat + ignore_empty_value: true + if: ctx.json?.type == 'account' + - set: + field: host.risk.calculated_score + tag: set_host_risk_calculated_score_from_detection_event_threat + copy_from: vectra_rux.detection_event.threat + ignore_empty_value: true + if: ctx.json?.type == 'host' + - convert: + field: json.triaged + tag: convert_triaged_to_boolean + target_field: vectra_rux.detection_event.triaged + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.type + tag: rename_type + target_field: vectra_rux.detection_event.type + ignore_missing: true + - rename: + field: json.url + tag: rename_url + target_field: vectra_rux.detection_event.url + ignore_missing: true + - set: + field: event.url + tag: set_event_url_from_detection_event_url + copy_from: vectra_rux.detection_event.url + ignore_empty_value: true + - remove: + field: + - vectra_rux.detection_event.detection.href + - vectra_rux.detection_event.detection.id + - vectra_rux.detection_event.event_timestamp + - vectra_rux.detection_event.mitre + - vectra_rux.detection_event.severity + - vectra_rux.detection_event.url + - vectra_rux.detection_event.category + - vectra_rux.detection_event.d_type_vname + - vectra_rux.detection_event.entity.id + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/vectra_rux/data_stream/detection_event/fields/base-fields.yml b/packages/vectra_rux/data_stream/detection_event/fields/base-fields.yml new file mode 100644 index 00000000000..3c144cecdf9 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: vectra_rux +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: vectra_rux.detection_event +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/vectra_rux/data_stream/detection_event/fields/beats.yml b/packages/vectra_rux/data_stream/detection_event/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/vectra_rux/data_stream/detection_event/fields/ecs.yml b/packages/vectra_rux/data_stream/detection_event/fields/ecs.yml new file mode 100644 index 00000000000..cba7d8cdb84 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/fields/ecs.yml @@ -0,0 +1,4 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + value: Vectra diff --git a/packages/vectra_rux/data_stream/detection_event/fields/fields.yml b/packages/vectra_rux/data_stream/detection_event/fields/fields.yml new file mode 100644 index 00000000000..f246266cd4f --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/fields/fields.yml @@ -0,0 +1,65 @@ +- name: vectra_rux + type: group + fields: + - name: detection_event + type: group + fields: + - name: category + type: keyword + description: The detection category. + - name: certainty + type: long + description: The certainty score attributed to the detection. + - name: d_type_vname + type: keyword + description: The detection name. + - name: detail + type: flattened + description: The detection detail. + - name: detection + type: group + fields: + - name: href + type: keyword + description: Link to the detection. + - name: id + type: keyword + description: The ID of the detection. + - name: type + type: keyword + description: Type of detection. + - name: entity + type: group + fields: + - name: id + type: keyword + description: Id of the related entity. + - name: uid + type: keyword + description: UID of the related entity. + - name: event_timestamp + type: date + description: Timestamp when the Account Detection Event occurred. + - name: id + type: keyword + description: The ID of the Account Detection Event. + - name: mitre + type: keyword + description: Type of Mitre Technique. + - name: severity + type: long + description: The severity of the detection. + - name: src_entity + type: keyword + - name: threat + type: long + description: The threat score attributed to the detection. + - name: triaged + type: boolean + description: Indicates whether the detection has been triaged. + - name: type + type: keyword + description: Type of the related entity. + - name: url + type: keyword + description: Corresponding URL of the detection event. diff --git a/packages/vectra_rux/data_stream/detection_event/manifest.yml b/packages/vectra_rux/data_stream/detection_event/manifest.yml new file mode 100644 index 00000000000..628128920b0 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/manifest.yml @@ -0,0 +1,82 @@ +title: Collect Detection Event logs from Vectra RUX +type: logs +streams: + - input: cel + title: Detection Event logs + description: Collect Detection Event logs from Vectra RUX. + template_path: cel.yml.hbs + enabled: true + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Detection Event logs from Vectra RUX API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + description: Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Vectra RUX API. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + default: false + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve vectra_rux.detection_event fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - vectra_rux-detection_event + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/vectra_rux/data_stream/detection_event/sample_event.json b/packages/vectra_rux/data_stream/detection_event/sample_event.json new file mode 100644 index 00000000000..4760a96dd95 --- /dev/null +++ b/packages/vectra_rux/data_stream/detection_event/sample_event.json @@ -0,0 +1,115 @@ +{ + "@timestamp": "2022-09-13T16:31:35.000Z", + "agent": { + "ephemeral_id": "f902a8e6-4c67-4620-9db4-c0a260f8c994", + "id": "e1f117dc-bfd4-4ff6-9b98-2e4040a1b329", + "name": "elastic-agent-18657", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.detection_event", + "namespace": "24621", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e1f117dc-bfd4-4ff6-9b98-2e4040a1b329", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "vectra_rux.detection_event", + "id": "959", + "ingested": "2025-05-08T05:11:36Z", + "kind": "alert", + "original": "{\"category\":\"command_and_control\",\"certainty\":50,\"d_type_vname\":\"Azure AD Redundant Access Creation\",\"detail\":{},\"detection_href\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341\",\"detection_id\":959,\"detection_type\":\"Azure AD Redundant Access Creation\",\"entity_href\":\"https://207031206993.uw2.devportal.vectra.ai/accounts/1\",\"entity_id\":1,\"entity_uid\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"event_timestamp\":\"2022-09-13T16:31:35Z\",\"id\":5,\"mitre\":[\"T1526\"],\"severity\":5,\"src_entity\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"threat\":50,\"triaged\":false,\"type\":\"account\",\"url\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959\"}", + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "severity": 5, + "type": [ + "indicator" + ], + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "user": [ + "1" + ] + }, + "rule": { + "name": "Azure AD Redundant Access Creation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-detection_event" + ], + "threat": { + "indicator": { + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341" + }, + "tactic": { + "name": [ + "command_and_control" + ] + }, + "technique": { + "id": [ + "T1526" + ] + } + }, + "url": { + "domain": "207031206993.uw2.devportal.vectra.ai", + "original": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "path": "/detections/959", + "query": "detail_id=94341", + "scheme": "https" + }, + "user": { + "id": "1", + "risk": { + "calculated_score": 50 + } + }, + "vectra_rux": { + "detection_event": { + "category": "command_and_control", + "certainty": 50, + "d_type_vname": "Azure AD Redundant Access Creation", + "detection": { + "href": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "id": "959", + "type": "Azure AD Redundant Access Creation" + }, + "entity": { + "id": "1", + "uid": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4" + }, + "event_timestamp": "2022-09-13T16:31:35.000Z", + "id": "5", + "mitre": [ + "T1526" + ], + "severity": 5, + "src_entity": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4", + "threat": 50, + "triaged": false, + "type": "account", + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + } + } +} diff --git a/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-common-config.yml b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log new file mode 100644 index 00000000000..11fc0c1217d --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log @@ -0,0 +1,2 @@ +{"id":24,"entity_id":100,"breadth_contrib":0,"importance":0,"type":"host","is_prioritized":false,"severity":"Low","urgency_reason":"Ransomware: This entity was prioritized because it was implicated in an active ransomware detection","urgency_score":0,"velocity_contrib":0,"event_timestamp":"2022-08-07T00:14:31Z","name":"AWS:None/us-1-east/config:AWSConfig-Describe","active_detection_types":["AWS S3 Enumeration"],"category":"ACCOUNT SCORING","last_detection":{"id":103,"type":"AWS S3 Enumeration","url":"https://200888808432.uw2.devportal.vectra.ai/detections/103"},"attack_rating":0,"url":"https://200888808432.uw2.devportal.vectra.ai/accounts/8"} +{"id":17,"entity_id":8,"name":"O365:john@demolab.vectra.ai","breadth_contrib":1,"importance":1,"type":"account","is_prioritized":true,"severity":"Low","urgency_score":76,"velocity_contrib":2,"attack_rating":7,"active_detection_types":["Azure AD Admin Account Creation","Azure AD Newly Created Admin Account","Azure AD Redundant Access Creation","M365 Disabling of Security Tools"],"category":"ACCOUNT SCORING","url":"https://123456789.cc1.portal.vectra.ai/accounts/8","event_timestamp":"2023-08-30T20:10:08Z","last_detection":{"id":null,"type":"Azure AD Change to Trusted IP Configuration","url":null}} diff --git a/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log-expected.json b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log-expected.json new file mode 100644 index 00000000000..0822e1ea3f2 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/_dev/test/pipeline/test-entity-event.log-expected.json @@ -0,0 +1,141 @@ +{ + "expected": [ + { + "@timestamp": "2022-08-07T00:14:31.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "host" + ], + "id": "100", + "kind": "event", + "original": "{\"id\":24,\"entity_id\":100,\"breadth_contrib\":0,\"importance\":0,\"type\":\"host\",\"is_prioritized\":false,\"severity\":\"Low\",\"urgency_reason\":\"Ransomware: This entity was prioritized because it was implicated in an active ransomware detection\",\"urgency_score\":0,\"velocity_contrib\":0,\"event_timestamp\":\"2022-08-07T00:14:31Z\",\"name\":\"AWS:None/us-1-east/config:AWSConfig-Describe\",\"active_detection_types\":[\"AWS S3 Enumeration\"],\"category\":\"ACCOUNT SCORING\",\"last_detection\":{\"id\":103,\"type\":\"AWS S3 Enumeration\",\"url\":\"https://200888808432.uw2.devportal.vectra.ai/detections/103\"},\"attack_rating\":0,\"url\":\"https://200888808432.uw2.devportal.vectra.ai/accounts/8\"}", + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "severity": 33, + "type": [ + "info" + ], + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + }, + "host": { + "id": "100", + "name": "AWS:None/us-1-east/config:AWSConfig-Describe" + }, + "message": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "100", + "AWS:None/us-1-east/config:AWSConfig-Describe" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields", + "vectra_rux-entity_event-host" + ], + "threat": { + "indicator": { + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + } + }, + "url": { + "domain": "200888808432.uw2.devportal.vectra.ai", + "original": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "path": "/detections/103", + "scheme": "https" + }, + "vectra_rux": { + "entity_event": { + "active_detection_types": [ + "AWS S3 Enumeration" + ], + "attack_rating": 0, + "breadth_contrib": 0, + "category": "ACCOUNT SCORING", + "entity_id": "100", + "event_timestamp": "2022-08-07T00:14:31.000Z", + "id": "24", + "importance": 0, + "is_prioritized": false, + "last_detection": { + "id": "103", + "type": "AWS S3 Enumeration", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "name": "AWS:None/us-1-east/config:AWSConfig-Describe", + "severity": "Low", + "type": "host", + "urgency": { + "reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "score": 0 + }, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8", + "velocity_contrib": 0 + } + } + }, + { + "@timestamp": "2023-08-30T20:10:08.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "id": "8", + "kind": "event", + "original": "{\"id\":17,\"entity_id\":8,\"name\":\"O365:john@demolab.vectra.ai\",\"breadth_contrib\":1,\"importance\":1,\"type\":\"account\",\"is_prioritized\":true,\"severity\":\"Low\",\"urgency_score\":76,\"velocity_contrib\":2,\"attack_rating\":7,\"active_detection_types\":[\"Azure AD Admin Account Creation\",\"Azure AD Newly Created Admin Account\",\"Azure AD Redundant Access Creation\",\"M365 Disabling of Security Tools\"],\"category\":\"ACCOUNT SCORING\",\"url\":\"https://123456789.cc1.portal.vectra.ai/accounts/8\",\"event_timestamp\":\"2023-08-30T20:10:08Z\",\"last_detection\":{\"id\":null,\"type\":\"Azure AD Change to Trusted IP Configuration\",\"url\":null}}", + "severity": 33, + "url": "https://123456789.cc1.portal.vectra.ai/accounts/8" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "user": [ + "8", + "O365:john@demolab.vectra.ai" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields", + "vectra_rux-entity_event-account" + ], + "user": { + "email": "O365:john@demolab.vectra.ai", + "id": "8" + }, + "vectra_rux": { + "entity_event": { + "active_detection_types": [ + "Azure AD Admin Account Creation", + "Azure AD Newly Created Admin Account", + "Azure AD Redundant Access Creation", + "M365 Disabling of Security Tools" + ], + "attack_rating": 7, + "breadth_contrib": 1, + "category": "ACCOUNT SCORING", + "entity_id": "8", + "event_timestamp": "2023-08-30T20:10:08.000Z", + "id": "17", + "importance": 1, + "is_prioritized": true, + "last_detection": { + "type": "Azure AD Change to Trusted IP Configuration" + }, + "name": "O365:john@demolab.vectra.ai", + "severity": "Low", + "type": "account", + "urgency": { + "score": 76 + }, + "url": "https://123456789.cc1.portal.vectra.ai/accounts/8", + "velocity_contrib": 2 + } + } + } + ] +} diff --git a/packages/vectra_rux/data_stream/entity_event/_dev/test/system/test-common-config.yml b/packages/vectra_rux/data_stream/entity_event/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..152ee013eb0 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/_dev/test/system/test-common-config.yml @@ -0,0 +1,15 @@ +input: cel +service: vectra_rux +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx +data_stream: + vars: + interval: 10s + preserve_original_event: true + preserve_duplicate_custom_fields: true + type: host + batch_size: 2 +assert: + hit_count: 5 diff --git a/packages/vectra_rux/data_stream/entity_event/agent/stream/cel.yml.hbs b/packages/vectra_rux/data_stream/entity_event/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..b85f47eec4b --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/agent/stream/cel.yml.hbs @@ -0,0 +1,95 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{url}}/oauth2/token +state: + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} + type: {{type}} + version: v3.4 +redact: + fields: ~ +program: | + ( + (has(state.type) && string(state.type) == "account") ? + state.?cursor.account_last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)) + : + state.?cursor.host_last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)) + ).as(start_time, state.with( + request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/events/entity_scoring?" + { + "from": [string(state.?from.orValue(0))], + "limit": [string(state.batch_size)], + "event_timestamp_gte": [start_time], + "type": [state.type], + }.format_query()).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, { + "events": body.events.map(e, { + "message": e.encode_json(), + }), + "want_more": int(body.remaining_count) > 0, + "from": int(body.next_checkpoint), + "start_time": start_time, + "cursor": { + ?"host_last_timestamp": (has(body.events) && size(body.events) > 0 && state.type == "host") ? + optional.of(body.events[size(body.events) - 1].event_timestamp) + : + state.?cursor.host_last_timestamp, + ?"account_last_timestamp": (has(body.events) && size(body.events) > 0 && state.type == "account") ? + optional.of(body.events[size(body.events) - 1].event_timestamp) + : + state.?cursor.account_last_timestamp + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/events/entity_scoring: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/vectra_rux/data_stream/entity_event/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_rux/data_stream/entity_event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..a9c7fc9943d --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,355 @@ +--- +description: Pipeline for processing entity event logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind + value: event + - set: + field: observer.product + tag: set_observer_product + value: Vectra RUX + - append: + field: event.category + tag: set_event_category + value: host + if: ctx.json?.type == 'host' + - append: + field: event.type + tag: set_event_type + value: info + if: ctx.json?.type == 'host' + - append: + field: tags + tag: append_host_tag + value: vectra_rux-entity_event-host + allow_duplicates: false + if: ctx.json?.type == 'host' + - append: + field: tags + tag: append_account_tag + value: vectra_rux-entity_event-account + allow_duplicates: false + if: ctx.json?.type == 'account' + - rename: + field: json.active_detection_types + tag: rename_active_detection_types + target_field: vectra_rux.entity_event.active_detection_types + ignore_missing: true + - convert: + field: json.attack_rating + tag: convert_attack_rating_to_long + target_field: vectra_rux.entity_event.attack_rating + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.breadth_contrib + tag: convert_breadth_contrib_to_long + target_field: vectra_rux.entity_event.breadth_contrib + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.category + tag: rename_category + target_field: vectra_rux.entity_event.category + ignore_missing: true + - convert: + field: json.entity_id + tag: convert_entity_id + type: string + target_field: vectra_rux.entity_event.entity_id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_entity_event_entity_id + copy_from: vectra_rux.entity_event.entity_id + ignore_empty_value: true + - set: + field: user.id + tag: set_user_id_from_entity_event_entity_id + copy_from: vectra_rux.entity_event.entity_id + ignore_empty_value: true + if: ctx.json?.type == 'account' + - append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null + - set: + field: host.id + tag: set_host_id_from_entity_event_entity_id + copy_from: vectra_rux.entity_event.entity_id + ignore_empty_value: true + if: ctx.json?.type == 'host' + - append: + field: related.hosts + tag: append_host_id_into_related_hosts + value: '{{{host.id}}}' + allow_duplicates: false + if: ctx.host?.id != null + - date: + field: json.event_timestamp + tag: date_event_timestamp + target_field: vectra_rux.entity_event.event_timestamp + formats: + - ISO8601 + if: ctx.json?.event_timestamp != null && ctx.json.event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_entity_event_event_timestamp + copy_from: vectra_rux.entity_event.event_timestamp + ignore_empty_value: true + - convert: + field: json.id + tag: convert_id + type: string + target_field: vectra_rux.entity_event.id + ignore_missing: true + - convert: + field: json.importance + tag: convert_importance_to_long + target_field: vectra_rux.entity_event.importance + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.is_prioritized + tag: convert_is_prioritized_to_boolean + target_field: vectra_rux.entity_event.is_prioritized + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.last_detection.id + tag: convert_last_detection_id + type: string + target_field: vectra_rux.entity_event.last_detection.id + ignore_missing: true + - rename: + field: json.last_detection.type + tag: rename_last_detection_type + target_field: vectra_rux.entity_event.last_detection.type + ignore_missing: true + - rename: + field: json.last_detection.url + tag: rename_last_detection_url + target_field: vectra_rux.entity_event.last_detection.url + ignore_missing: true + - set: + field: event.reference + tag: set_event_reference_from_last_detection_url + copy_from: vectra_rux.entity_event.last_detection.url + ignore_empty_value: true + - set: + field: threat.indicator.reference + tag: set_threat_indicator_reference_from_entity_event_last_detection_url + copy_from: vectra_rux.entity_event.last_detection.url + ignore_empty_value: true + - uri_parts: + field: event.reference + tag: uri_parts_event_reference + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.name + tag: rename_name + target_field: vectra_rux.entity_event.name + ignore_missing: true + - set: + field: user.email + tag: set_user_email_from_entity_event_name + copy_from: vectra_rux.entity_event.name + ignore_empty_value: true + if: ctx.json?.type == 'account' && ctx.vectra_rux?.entity_event?.name.contains("@") + - append: + field: related.user + tag: append_user_email_into_related_user + value: '{{{user.email}}}' + allow_duplicates: false + if: ctx.user?.email != null + - set: + field: host.name + tag: set_user_name_from_entity_event_name + copy_from: vectra_rux.entity_event.name + ignore_empty_value: true + if: ctx.json?.type == 'host' + - append: + field: related.hosts + tag: append_host_name_into_related_hosts + value: '{{{host.name}}}' + allow_duplicates: false + if: ctx.host?.name != null + - rename: + field: json.severity + tag: rename_severity + target_field: vectra_rux.entity_event.severity + ignore_missing: true + - script: + lang: painless + description: Script to set event.severity. + tag: set_event_severity + if: ctx.vectra_rux?.entity_event?.severity instanceof String + source: |- + def severity = ctx.vectra_rux.entity_event.severity.toLowerCase(); + if (severity == 'high') { + ctx.event.severity = 99; + } else if (severity == 'medium') { + ctx.event.severity = 66; + } else if (severity == 'low') { + ctx.event.severity = 33; + } + - rename: + field: json.type + tag: rename_type + target_field: vectra_rux.entity_event.type + ignore_missing: true + - rename: + field: json.urgency_reason + tag: rename_urgency_reason + target_field: vectra_rux.entity_event.urgency.reason + ignore_missing: true + - set: + field: message + tag: set_message_from_entity_event_urgency_reason + copy_from: vectra_rux.entity_event.urgency.reason + ignore_empty_value: true + - convert: + field: json.urgency_score + tag: convert_urgency_score_to_long + target_field: vectra_rux.entity_event.urgency.score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.url + tag: rename_url + target_field: vectra_rux.entity_event.url + ignore_missing: true + - set: + field: event.url + tag: set_event_url_from_entity_event_url + copy_from: vectra_rux.entity_event.url + ignore_empty_value: true + - convert: + field: json.velocity_contrib + tag: convert_velocity_contrib_to_long + target_field: vectra_rux.entity_event.velocity_contrib + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: + - vectra_rux.entity_event.entity_id + - vectra_rux.entity_event.event_timestamp + - vectra_rux.entity_event.urgency.reason + - vectra_rux.entity_event.url + - vectra_rux.entity_event.last_detection.url + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/vectra_rux/data_stream/entity_event/fields/base-fields.yml b/packages/vectra_rux/data_stream/entity_event/fields/base-fields.yml new file mode 100644 index 00000000000..a0d496b11fc --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: vectra_rux +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: vectra_rux.entity_event +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/vectra_rux/data_stream/entity_event/fields/beats.yml b/packages/vectra_rux/data_stream/entity_event/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/vectra_rux/data_stream/entity_event/fields/ecs.yml b/packages/vectra_rux/data_stream/entity_event/fields/ecs.yml new file mode 100644 index 00000000000..cba7d8cdb84 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/fields/ecs.yml @@ -0,0 +1,4 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + value: Vectra diff --git a/packages/vectra_rux/data_stream/entity_event/fields/fields.yml b/packages/vectra_rux/data_stream/entity_event/fields/fields.yml new file mode 100644 index 00000000000..4034936b0b2 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/fields/fields.yml @@ -0,0 +1,61 @@ +- name: vectra_rux.entity_event + type: group + fields: + - name: id + type: keyword + - name: entity_id + type: keyword + description: Entity ID. + - name: breadth_contrib + type: long + description: Breadth contribution of the entity. + - name: importance + type: long + description: Importance score of the entity. + - name: type + type: keyword + description: Entity type. + - name: is_prioritized + type: boolean + description: Whether or not the priority of this entity is above the configured priority threshold. + - name: severity + type: keyword + description: Entity severity. + - name: urgency + type: group + fields: + - name: reason + type: keyword + description: Reason behind the urgency_score. + - name: score + type: long + description: Priority or urgency of the entity. + - name: velocity_contrib + type: long + description: Velocity contribution of the entity. + - name: event_timestamp + type: date + description: Timestamp when the detection event occurred. + - name: name + type: keyword + description: The name associated with the account, or the learned hostname. + - name: active_detection_types + type: keyword + description: A list of all active detection types on the entity. + - name: category + type: keyword + description: The event category. + - name: last_detection + type: group + fields: + - name: id + type: keyword + - name: type + type: keyword + - name: url + type: keyword + - name: attack_rating + type: long + - name: url + type: keyword + description: The URL link directly to this entity. diff --git a/packages/vectra_rux/data_stream/entity_event/manifest.yml b/packages/vectra_rux/data_stream/entity_event/manifest.yml new file mode 100644 index 00000000000..7b5d0b057b8 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/manifest.yml @@ -0,0 +1,94 @@ +title: Collect Entity Event logs from Vectra RUX +type: logs +streams: + - input: cel + title: Entity Event logs + description: Collect Entity Event logs from Vectra RUX. + template_path: cel.yml.hbs + enabled: true + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Entity Event logs from Vectra RUX API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + description: Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Vectra RUX API. + default: 500 + multi: false + required: true + show_user: false + - name: type + type: select + title: Type + description: "Specifies the type of entity scoring events: account or host." + multi: false + options: + - value: account + text: account + - value: host + text: host + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + default: false + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve vectra_rux.entity_event fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - vectra_rux-entity_event + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/vectra_rux/data_stream/entity_event/sample_event.json b/packages/vectra_rux/data_stream/entity_event/sample_event.json new file mode 100644 index 00000000000..b5bfb2840e4 --- /dev/null +++ b/packages/vectra_rux/data_stream/entity_event/sample_event.json @@ -0,0 +1,104 @@ +{ + "@timestamp": "2022-07-07T00:14:31.000Z", + "agent": { + "ephemeral_id": "8e279852-4243-469f-91ad-8d0997ef64f6", + "id": "e80a9f22-25ca-45f5-9e14-925407b71763", + "name": "elastic-agent-21664", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.entity_event", + "namespace": "67167", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e80a9f22-25ca-45f5-9e14-925407b71763", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "vectra_rux.entity_event", + "id": "100", + "ingested": "2025-05-08T05:12:29Z", + "kind": "event", + "original": "{\"active_detection_types\":[\"hidden_https_tunnel_cnc\"],\"attack_rating\":0,\"breadth_contrib\":0,\"category\":\"HOST_SCORING\",\"entity_id\":100,\"event_timestamp\":\"2022-07-07T00:14:31Z\",\"id\":1,\"importance\":0,\"is_prioritized\":false,\"last_detection\":{\"id\":103,\"type\":\"hidden_https_tunnel_cnc\",\"url\":\"https://200888808432.uw2.devportal.vectra.ai/detections/103\"},\"name\":\"piper-desktop\",\"severity\":\"Low\",\"type\":\"host\",\"urgency_reason\":\"Ransomware: This entity was prioritized because it was implicated in an active ransomware detection\",\"urgency_score\":0,\"url\":\"https://200888808432.uw2.devportal.vectra.ai/accounts/8\",\"velocity_contrib\":0}", + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "severity": 33, + "type": [ + "info" + ], + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + }, + "host": { + "id": "100", + "name": "piper-desktop" + }, + "input": { + "type": "cel" + }, + "message": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "100", + "piper-desktop" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-entity_event", + "vectra_rux-entity_event-host" + ], + "threat": { + "indicator": { + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + } + }, + "url": { + "domain": "200888808432.uw2.devportal.vectra.ai", + "original": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "path": "/detections/103", + "scheme": "https" + }, + "vectra_rux": { + "entity_event": { + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "attack_rating": 0, + "breadth_contrib": 0, + "category": "HOST_SCORING", + "entity_id": "100", + "event_timestamp": "2022-07-07T00:14:31.000Z", + "id": "1", + "importance": 0, + "is_prioritized": false, + "last_detection": { + "id": "103", + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "name": "piper-desktop", + "severity": "Low", + "type": "host", + "urgency": { + "reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "score": 0 + }, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8", + "velocity_contrib": 0 + } + } +} diff --git a/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-common-config.yml b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log new file mode 100644 index 00000000000..b9007c3624f --- /dev/null +++ b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log @@ -0,0 +1,2 @@ +{"memory":{"usage_percent":47,"free_bytes":5597118464,"used_bytes":33078743040,"total_bytes":67444477952,"updated_at":"2025-04-18 07:17:35+00:00"},"trafficdrop":{"sensors":[{"name":"EDR Sensor","error":"All interfaces have traffic volume within range","status":"OK","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"1.128.0.0"},{"name":"XDR Sensor","error":"Interface have traffic volume within range","status":"OK","serial_number":"1421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"1.128.0.11"}],"updated_at":"2025-04-18 07:17:35+00:00"},"cpu":{"user_percent":30,"nice_percent":0,"system_percent":24.9,"idle_percent":43.9,"updated_at":"2025-04-18 07:17:35+00:00"},"hostid":{"artifact_counts":{"TestEDR":0,"arsenic":0,"carbon_black":0,"cb_cloud":0,"clear_state":0,"cookie":0,"crowdstrike":0,"cybereason":0,"dhcp":6606,"dns":27818,"end_time":0,"fireeye":0,"generic_edr":0,"idle_end":27818,"idle_start":27936,"invalid":0,"kerberos":209,"kerberos_user":0,"mdns":18575,"netbios":15596,"proxy_ip":0,"rdns":0,"sentinelone":0,"split":0,"src_port":0,"static_ip":0,"total":134681,"uagent":10122,"vmachine_info":0,"windows_defender":1,"zpa_user":0},"ip_always_percent":18.52,"ip_sometimes_percent":2.47,"ip_never_percent":79.01,"updated_at":"2025-04-18 07:17:35+00:00"},"network":{"updated_at":"2025-04-18 07:17:34+00:00","vlans":{"vlan_ids":["7","8"],"count":1}},"disk":{"degraded_raid_volume":{"error":"error","output":"output","status":"OK"},"disk_raid":{"error":"error","output":"output","status":"OK"},"disk_utilization":{"free_bytes":10000109,"total_bytes":67444477952,"usage_percent":47,"used_bytes":33078743040},"raid_disks_missing":{"error":"error","output":"output","status":"OK"},"updated_at":"2025-04-18 07:17:34+00:00"},"power":{"status":"SKIP","error":"Power check for this device is not supported","updated_at":"2025-04-18 07:17:35+00:00"},"system":{"uptime":"261 days, 13 hours, 33 minutes","serial_number":"VHE66258a5e8dafe76d9a5dd741abd94ee8","version":{"last_update":"Wed Apr 9 02:03:16 2025","last_update_utc":"2025-04-09T02:03:16+00:00","model":"VHE","mode":"brain","cloud_bridge":true,"gmt":"2025-04-18T07:14:09.593927Z","vm_type":"vmware","vectra_instance_type":"medium","vectra_version":"9.0.3-2-62"},"updated_at":"2025-04-18 07:17:33+00:00"},"sensors":[{"id":3,"location":"hyp-2-37","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"175.16.199.24","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"EDR Sensor"},{"id":2,"location":"hyp-2-35","serial_number":"12421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"175.16.199.24","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"XDR Sensor"},{"id":1,"location":"hyp-2-30","serial_number":"V4121353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"http://headend_uri/","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"DR Sensor"}],"detection":{"updated_at":"2025-04-18 07:17:33+00:00","name":"Detection 1","detection_type":"AWS","message":"This is detection message","status":"OK"},"event_timestamp":"2025-04-15T09:39:45.146Z","connectivity":{"sensors":[{"name":"EDR Sensor","error":"metadata replication seems fine","status":"OK","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"216.160.83.56","affected_metadata_hours":["2025-04-18T00:00:00Z","2025-04-18T01:00:00Z"]},{"name":"XDR Sensor","error":"metadata replication seems fine","status":"OK","serial_number":"V423ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"81.2.69.142","affected_metadata_hours":["2025-04-18T00:00:00Z","2025-04-18T01:00:00Z"]}],"updated_at":"2025-04-18 07:17:35+00:00"}} +{"memory":{"usage_percent":47,"free_bytes":5597118464,"used_bytes":33078743040,"total_bytes":67444477952,"updated_at":"2025-04-18 07:17:35+00:00"},"trafficdrop":{"sensors":[{"name":"EDR Sensor","error":"All interfaces have traffic volume within range","status":"OK","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"1.128.0.0","output":["o1","o2"]},{"name":"XDR Sensor","error":"Interface have traffic volume within range","status":"OK","serial_number":"1421353ef386550fb2f9a959fa3f52aee","output":[{"error":"error"}],"luid":"w4ftj0a8","ip_address":"1.128.0.11"}],"updated_at":"2025-04-18 07:17:35+00:00"},"cpu":{"user_percent":30,"nice_percent":0,"system_percent":24.9,"idle_percent":43.9,"updated_at":"2025-04-18 07:17:35+00:00"},"hostid":{"artifact_counts":{"TestEDR":0,"arsenic":0,"carbon_black":0,"cb_cloud":0,"clear_state":0,"cookie":0,"crowdstrike":0,"cybereason":0,"dhcp":6606,"dns":27818,"end_time":0,"fireeye":0,"generic_edr":0,"idle_end":27818,"idle_start":27936,"invalid":0,"kerberos":209,"kerberos_user":0,"mdns":18575,"netbios":15596,"proxy_ip":0,"rdns":0,"sentinelone":0,"split":0,"src_port":0,"static_ip":0,"total":134681,"uagent":10122,"vmachine_info":0,"windows_defender":1,"zpa_user":0},"ip_always_percent":18.52,"ip_sometimes_percent":2.47,"ip_never_percent":79.01,"updated_at":"2025-04-18 07:17:35+00:00"},"network":{"interfaces":{"brain":{},"sensors":{"w4ftj0a8":{"eth0":{"link":"UP"}}}},"traffic":{"brain":{"aggregated_peak_traffic_mbps":0,"interface_peak_traffic":{}},"sensors":{"EDR Sensor":{"aggregated_peak_traffic_mbps":5,"interface_peak_traffic":{"eth0":{"peak_traffic_mbps":5}}}}},"updated_at":"2025-04-18 07:17:34+00:00","vlans":{"vlan_ids":["7"],"count":1}},"disk":{"degraded_raid_volume":{"error":"error","output":"output","status":"OK"},"disk_raid":{"error":"error","output":"output","status":"OK"},"disk_utilization":{"free_bytes":10000109,"total_bytes":67444477952,"usage_percent":47,"used_bytes":33078743040},"raid_disks_missing":{"error":"error","output":"output","status":"OK"},"updated_at":"2025-04-18 07:17:34+00:00"},"power":{"status":"SKIP","error":"Power check for this device is not supported","power_supplies":[{"source":"1"}],"updated_at":"2025-04-18 07:17:35+00:00"},"system":{"uptime":"261 days, 13 hours, 33 minutes","serial_number":"VHE66258a5e8dafe76d9a5dd741abd94ee8","version":{"last_update":"Wed Apr 9 02:03:16 2025","last_update_utc":"2025-04-09T02:03:16+00:00","model":"VHE","mode":"brain","cloud_bridge":true,"gmt":"2025-04-18T07:14:09.593927Z","vm_type":"vmware","vectra_instance_type":"medium","vectra_version":"9.0.3-2-62"},"updated_at":"2025-04-18 07:17:33+00:00"},"sensors":[{"id":3,"location":"hyp-2-37","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"175.16.199.24","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"EDR Sensor"},{"id":2,"location":"hyp-2-35","serial_number":"12421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"175.16.199.24","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"XDR Sensor"},{"id":1,"location":"hyp-2-30","serial_number":"V4121353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","status":"paired","version":"9.0.3-1-62","ip_address":"175.16.199.0","ssh_tunnel_port":"38113","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n","product_name":"DCS","mode":"sensor","headend_uri":"http://headend_uri/","original_version":"7.9.0-17-38","last_seen":"2025-04-18T07:15:37.685Z","update_count":0,"name":"DR Sensor"}],"detection":{"updated_at":"2025-04-18 07:17:33+00:00","name":"Detection 1","detection_type":"AWS","check_results":[{"model":"IAMPolicyChecker","status":"failing","message":"IAM policy allows wildcard permissions."},{"model":"S3BucketChecker","status":"failing","message":"S3 bucket is publicly accessible."}],"message":"This is detection message","status":"OK"},"event_timestamp":"2025-04-15T09:39:45.146Z","connectivity":{"sensors":[{"name":"EDR Sensor","error":"metadata replication seems fine","status":"OK","serial_number":"V421353ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"216.160.83.56","output":{},"affected_metadata_hours":["2025-04-18T00:00:00Z","2025-04-18T01:00:00Z"]},{"name":"XDR Sensor","error":"metadata replication seems fine","status":"OK","serial_number":"V423ef386550fb2f9a959fa3f52aee","luid":"w4ftj0a8","ip_address":"81.2.69.142","affected_metadata_hours":["2025-04-18T00:00:00Z","2025-04-18T01:00:00Z"]}],"updated_at":"2025-04-18 07:17:35+00:00"}} diff --git a/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log-expected.json b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log-expected.json new file mode 100644 index 00000000000..da36c11de3a --- /dev/null +++ b/packages/vectra_rux/data_stream/health/_dev/test/pipeline/test-health.log-expected.json @@ -0,0 +1,622 @@ +{ + "expected": [ + { + "@timestamp": "2025-04-15T09:39:45.146Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "kind": "event", + "original": "{\"memory\":{\"usage_percent\":47,\"free_bytes\":5597118464,\"used_bytes\":33078743040,\"total_bytes\":67444477952,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"trafficdrop\":{\"sensors\":[{\"name\":\"EDR Sensor\",\"error\":\"All interfaces have traffic volume within range\",\"status\":\"OK\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"1.128.0.0\"},{\"name\":\"XDR Sensor\",\"error\":\"Interface have traffic volume within range\",\"status\":\"OK\",\"serial_number\":\"1421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"1.128.0.11\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"cpu\":{\"user_percent\":30,\"nice_percent\":0,\"system_percent\":24.9,\"idle_percent\":43.9,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"hostid\":{\"artifact_counts\":{\"TestEDR\":0,\"arsenic\":0,\"carbon_black\":0,\"cb_cloud\":0,\"clear_state\":0,\"cookie\":0,\"crowdstrike\":0,\"cybereason\":0,\"dhcp\":6606,\"dns\":27818,\"end_time\":0,\"fireeye\":0,\"generic_edr\":0,\"idle_end\":27818,\"idle_start\":27936,\"invalid\":0,\"kerberos\":209,\"kerberos_user\":0,\"mdns\":18575,\"netbios\":15596,\"proxy_ip\":0,\"rdns\":0,\"sentinelone\":0,\"split\":0,\"src_port\":0,\"static_ip\":0,\"total\":134681,\"uagent\":10122,\"vmachine_info\":0,\"windows_defender\":1,\"zpa_user\":0},\"ip_always_percent\":18.52,\"ip_sometimes_percent\":2.47,\"ip_never_percent\":79.01,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"network\":{\"updated_at\":\"2025-04-18 07:17:34+00:00\",\"vlans\":{\"vlan_ids\":[\"7\",\"8\"],\"count\":1}},\"disk\":{\"degraded_raid_volume\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_raid\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_utilization\":{\"free_bytes\":10000109,\"total_bytes\":67444477952,\"usage_percent\":47,\"used_bytes\":33078743040},\"raid_disks_missing\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"updated_at\":\"2025-04-18 07:17:34+00:00\"},\"power\":{\"status\":\"SKIP\",\"error\":\"Power check for this device is not supported\",\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"system\":{\"uptime\":\"261 days, 13 hours, 33 minutes\",\"serial_number\":\"VHE66258a5e8dafe76d9a5dd741abd94ee8\",\"version\":{\"last_update\":\"Wed Apr 9 02:03:16 2025\",\"last_update_utc\":\"2025-04-09T02:03:16+00:00\",\"model\":\"VHE\",\"mode\":\"brain\",\"cloud_bridge\":true,\"gmt\":\"2025-04-18T07:14:09.593927Z\",\"vm_type\":\"vmware\",\"vectra_instance_type\":\"medium\",\"vectra_version\":\"9.0.3-2-62\"},\"updated_at\":\"2025-04-18 07:17:33+00:00\"},\"sensors\":[{\"id\":3,\"location\":\"hyp-2-37\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"175.16.199.24\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"EDR Sensor\"},{\"id\":2,\"location\":\"hyp-2-35\",\"serial_number\":\"12421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"175.16.199.24\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"XDR Sensor\"},{\"id\":1,\"location\":\"hyp-2-30\",\"serial_number\":\"V4121353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"http://headend_uri/\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"DR Sensor\"}],\"detection\":{\"updated_at\":\"2025-04-18 07:17:33+00:00\",\"name\":\"Detection 1\",\"detection_type\":\"AWS\",\"message\":\"This is detection message\",\"status\":\"OK\"},\"event_timestamp\":\"2025-04-15T09:39:45.146Z\",\"connectivity\":{\"sensors\":[{\"name\":\"EDR Sensor\",\"error\":\"metadata replication seems fine\",\"status\":\"OK\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"216.160.83.56\",\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"]},{\"name\":\"XDR Sensor\",\"error\":\"metadata replication seems fine\",\"status\":\"OK\",\"serial_number\":\"V423ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"81.2.69.142\",\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"]}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"}}" + }, + "host": { + "cpu": { + "usage": 30.0 + }, + "id": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "type": "vmware" + }, + "message": "This is detection message", + "network": { + "vlan": { + "id": [ + "7", + "8" + ] + } + }, + "observer": { + "ip": [ + "175.16.199.0" + ], + "name": [ + "EDR Sensor", + "XDR Sensor", + "DR Sensor" + ], + "product": "Vectra RUX", + "serial_number": [ + "V421353ef386550fb2f9a959fa3f52aee", + "12421353ef386550fb2f9a959fa3f52aee", + "V4121353ef386550fb2f9a959fa3f52aee" + ], + "version": [ + "9.0.3-1-62" + ] + }, + "related": { + "ip": [ + "216.160.83.56", + "81.2.69.142", + "175.16.199.0", + "175.16.199.24", + "1.128.0.0", + "1.128.0.11" + ] + }, + "rule": { + "name": "Detection 1" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "This is detection message" + } + }, + "vectra_rux": { + "health": { + "connectivity": { + "sensors": [ + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "216.160.83.56", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "81.2.69.142", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "V423ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ] + }, + "cpu": { + "idle_percent": 43.9, + "nice_percent": 0.0, + "system_percent": 24.9, + "updated_at": "2025-04-18T07:17:35.000Z", + "user_percent": 30.0 + }, + "detection": { + "detection_type": "AWS", + "message": "This is detection message", + "name": "Detection 1", + "status": "OK", + "updated_at": "2025-04-18T07:17:33.000Z" + }, + "disk": { + "degraded_raid_volume": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_raid": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_utilization": { + "free_bytes": 10000109, + "total_bytes": 67444477952, + "usage_percent": 47.0, + "used_bytes": 33078743040 + }, + "raid_disks_missing": { + "error": "error", + "output": "output", + "status": "OK" + }, + "updated_at": "2025-04-18T07:17:34.000Z" + }, + "event_timestamp": "2025-04-15T09:39:45.146Z", + "hostid": { + "artifact_counts": { + "TestEDR": 0, + "arsenic": 0, + "carbon_black": 0, + "cb_cloud": 0, + "clear_state": 0, + "cookie": 0, + "crowdstrike": 0, + "cybereason": 0, + "dhcp": 6606, + "dns": 27818, + "end_time": 0, + "fireeye": 0, + "generic_edr": 0, + "idle_end": 27818, + "idle_start": 27936, + "invalid": 0, + "kerberos": 209, + "kerberos_user": 0, + "mdns": 18575, + "netbios": 15596, + "proxy_ip": 0, + "rdns": 0, + "sentinelone": 0, + "split": 0, + "src_port": 0, + "static_ip": 0, + "total": 134681, + "uagent": 10122, + "vmachine_info": 0, + "windows_defender": 1, + "zpa_user": 0 + }, + "ip_always_percent": 18.52, + "ip_never_percent": 2.47, + "ip_sometimes_percent": 79.01, + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "memory": { + "free_bytes": 5597118464, + "total_bytes": 67444477952, + "updated_at": "2025-04-18T07:17:35.000Z", + "usage_percent": 47.0, + "used_bytes": 33078743040 + }, + "network": { + "updated_at": "2025-04-18T07:17:34.000Z", + "vlans": { + "count": 1, + "vlan_ids": [ + "7", + "8" + ] + } + }, + "power": { + "error": "Power check for this device is not supported", + "status": "SKIP", + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "sensors": [ + { + "headend_ip": "175.16.199.24", + "id": "3", + "location": "hyp-2-37", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "EDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_ip": "175.16.199.24", + "id": "2", + "location": "hyp-2-35", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "XDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "12421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_url": "http://headend_uri/", + "id": "1", + "location": "hyp-2-30", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "DR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V4121353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + } + ], + "system": { + "serial_number": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "updated_at": "2025-04-18T07:17:33.000Z", + "uptime": "261 days, 13 hours, 33 minutes", + "version": { + "cloud_bridge": true, + "gmt": "2025-04-18T07:14:09.593Z", + "last_update": "2025-04-09T02:03:16.000Z", + "last_update_utc": "2025-04-09T02:03:16.000Z", + "mode": "brain", + "model": "VHE", + "vectra_instance_type": "medium", + "vectra_version": "9.0.3-2-62", + "vm_type": "vmware" + } + }, + "trafficdrop": { + "sensors": [ + { + "error": "All interfaces have traffic volume within range", + "ip_address": "1.128.0.0", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "error": "Interface have traffic volume within range", + "ip_address": "1.128.0.11", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "1421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ], + "updated_at": "2025-04-18T07:17:35.000Z" + } + } + } + }, + { + "@timestamp": "2025-04-15T09:39:45.146Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "kind": "event", + "original": "{\"memory\":{\"usage_percent\":47,\"free_bytes\":5597118464,\"used_bytes\":33078743040,\"total_bytes\":67444477952,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"trafficdrop\":{\"sensors\":[{\"name\":\"EDR Sensor\",\"error\":\"All interfaces have traffic volume within range\",\"status\":\"OK\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"1.128.0.0\",\"output\":[\"o1\",\"o2\"]},{\"name\":\"XDR Sensor\",\"error\":\"Interface have traffic volume within range\",\"status\":\"OK\",\"serial_number\":\"1421353ef386550fb2f9a959fa3f52aee\",\"output\":[{\"error\":\"error\"}],\"luid\":\"w4ftj0a8\",\"ip_address\":\"1.128.0.11\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"cpu\":{\"user_percent\":30,\"nice_percent\":0,\"system_percent\":24.9,\"idle_percent\":43.9,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"hostid\":{\"artifact_counts\":{\"TestEDR\":0,\"arsenic\":0,\"carbon_black\":0,\"cb_cloud\":0,\"clear_state\":0,\"cookie\":0,\"crowdstrike\":0,\"cybereason\":0,\"dhcp\":6606,\"dns\":27818,\"end_time\":0,\"fireeye\":0,\"generic_edr\":0,\"idle_end\":27818,\"idle_start\":27936,\"invalid\":0,\"kerberos\":209,\"kerberos_user\":0,\"mdns\":18575,\"netbios\":15596,\"proxy_ip\":0,\"rdns\":0,\"sentinelone\":0,\"split\":0,\"src_port\":0,\"static_ip\":0,\"total\":134681,\"uagent\":10122,\"vmachine_info\":0,\"windows_defender\":1,\"zpa_user\":0},\"ip_always_percent\":18.52,\"ip_sometimes_percent\":2.47,\"ip_never_percent\":79.01,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"network\":{\"interfaces\":{\"brain\":{},\"sensors\":{\"w4ftj0a8\":{\"eth0\":{\"link\":\"UP\"}}}},\"traffic\":{\"brain\":{\"aggregated_peak_traffic_mbps\":0,\"interface_peak_traffic\":{}},\"sensors\":{\"EDR Sensor\":{\"aggregated_peak_traffic_mbps\":5,\"interface_peak_traffic\":{\"eth0\":{\"peak_traffic_mbps\":5}}}}},\"updated_at\":\"2025-04-18 07:17:34+00:00\",\"vlans\":{\"vlan_ids\":[\"7\"],\"count\":1}},\"disk\":{\"degraded_raid_volume\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_raid\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_utilization\":{\"free_bytes\":10000109,\"total_bytes\":67444477952,\"usage_percent\":47,\"used_bytes\":33078743040},\"raid_disks_missing\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"updated_at\":\"2025-04-18 07:17:34+00:00\"},\"power\":{\"status\":\"SKIP\",\"error\":\"Power check for this device is not supported\",\"power_supplies\":[{\"source\":\"1\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"system\":{\"uptime\":\"261 days, 13 hours, 33 minutes\",\"serial_number\":\"VHE66258a5e8dafe76d9a5dd741abd94ee8\",\"version\":{\"last_update\":\"Wed Apr 9 02:03:16 2025\",\"last_update_utc\":\"2025-04-09T02:03:16+00:00\",\"model\":\"VHE\",\"mode\":\"brain\",\"cloud_bridge\":true,\"gmt\":\"2025-04-18T07:14:09.593927Z\",\"vm_type\":\"vmware\",\"vectra_instance_type\":\"medium\",\"vectra_version\":\"9.0.3-2-62\"},\"updated_at\":\"2025-04-18 07:17:33+00:00\"},\"sensors\":[{\"id\":3,\"location\":\"hyp-2-37\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"175.16.199.24\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"EDR Sensor\"},{\"id\":2,\"location\":\"hyp-2-35\",\"serial_number\":\"12421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"175.16.199.24\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"XDR Sensor\"},{\"id\":1,\"location\":\"hyp-2-30\",\"serial_number\":\"V4121353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"status\":\"paired\",\"version\":\"9.0.3-1-62\",\"ip_address\":\"175.16.199.0\",\"ssh_tunnel_port\":\"38113\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"product_name\":\"DCS\",\"mode\":\"sensor\",\"headend_uri\":\"http://headend_uri/\",\"original_version\":\"7.9.0-17-38\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"update_count\":0,\"name\":\"DR Sensor\"}],\"detection\":{\"updated_at\":\"2025-04-18 07:17:33+00:00\",\"name\":\"Detection 1\",\"detection_type\":\"AWS\",\"check_results\":[{\"model\":\"IAMPolicyChecker\",\"status\":\"failing\",\"message\":\"IAM policy allows wildcard permissions.\"},{\"model\":\"S3BucketChecker\",\"status\":\"failing\",\"message\":\"S3 bucket is publicly accessible.\"}],\"message\":\"This is detection message\",\"status\":\"OK\"},\"event_timestamp\":\"2025-04-15T09:39:45.146Z\",\"connectivity\":{\"sensors\":[{\"name\":\"EDR Sensor\",\"error\":\"metadata replication seems fine\",\"status\":\"OK\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"216.160.83.56\",\"output\":{},\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"]},{\"name\":\"XDR Sensor\",\"error\":\"metadata replication seems fine\",\"status\":\"OK\",\"serial_number\":\"V423ef386550fb2f9a959fa3f52aee\",\"luid\":\"w4ftj0a8\",\"ip_address\":\"81.2.69.142\",\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"]}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"}}" + }, + "host": { + "cpu": { + "usage": 30.0 + }, + "id": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "type": "vmware" + }, + "message": "This is detection message", + "network": { + "vlan": { + "id": [ + "7" + ] + } + }, + "observer": { + "ip": [ + "175.16.199.0" + ], + "name": [ + "EDR Sensor", + "XDR Sensor", + "DR Sensor" + ], + "product": "Vectra RUX", + "serial_number": [ + "V421353ef386550fb2f9a959fa3f52aee", + "12421353ef386550fb2f9a959fa3f52aee", + "V4121353ef386550fb2f9a959fa3f52aee" + ], + "version": [ + "9.0.3-1-62" + ] + }, + "related": { + "ip": [ + "216.160.83.56", + "81.2.69.142", + "175.16.199.0", + "175.16.199.24", + "1.128.0.0", + "1.128.0.11" + ] + }, + "rule": { + "name": "Detection 1" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "description": "This is detection message" + } + }, + "vectra_rux": { + "health": { + "connectivity": { + "sensors": [ + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "216.160.83.56", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "81.2.69.142", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "V423ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ] + }, + "cpu": { + "idle_percent": 43.9, + "nice_percent": 0.0, + "system_percent": 24.9, + "updated_at": "2025-04-18T07:17:35.000Z", + "user_percent": 30.0 + }, + "detection": { + "check_results": [ + { + "message": "IAM policy allows wildcard permissions.", + "model": "IAMPolicyChecker", + "status": "failing" + }, + { + "message": "S3 bucket is publicly accessible.", + "model": "S3BucketChecker", + "status": "failing" + } + ], + "detection_type": "AWS", + "message": "This is detection message", + "name": "Detection 1", + "status": "OK", + "updated_at": "2025-04-18T07:17:33.000Z" + }, + "disk": { + "degraded_raid_volume": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_raid": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_utilization": { + "free_bytes": 10000109, + "total_bytes": 67444477952, + "usage_percent": 47.0, + "used_bytes": 33078743040 + }, + "raid_disks_missing": { + "error": "error", + "output": "output", + "status": "OK" + }, + "updated_at": "2025-04-18T07:17:34.000Z" + }, + "event_timestamp": "2025-04-15T09:39:45.146Z", + "hostid": { + "artifact_counts": { + "TestEDR": 0, + "arsenic": 0, + "carbon_black": 0, + "cb_cloud": 0, + "clear_state": 0, + "cookie": 0, + "crowdstrike": 0, + "cybereason": 0, + "dhcp": 6606, + "dns": 27818, + "end_time": 0, + "fireeye": 0, + "generic_edr": 0, + "idle_end": 27818, + "idle_start": 27936, + "invalid": 0, + "kerberos": 209, + "kerberos_user": 0, + "mdns": 18575, + "netbios": 15596, + "proxy_ip": 0, + "rdns": 0, + "sentinelone": 0, + "split": 0, + "src_port": 0, + "static_ip": 0, + "total": 134681, + "uagent": 10122, + "vmachine_info": 0, + "windows_defender": 1, + "zpa_user": 0 + }, + "ip_always_percent": 18.52, + "ip_never_percent": 2.47, + "ip_sometimes_percent": 79.01, + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "memory": { + "free_bytes": 5597118464, + "total_bytes": 67444477952, + "updated_at": "2025-04-18T07:17:35.000Z", + "usage_percent": 47.0, + "used_bytes": 33078743040 + }, + "network": { + "interfaces": { + "sensors": { + "w4ftj0a8": { + "eth0": { + "link": "UP" + } + } + } + }, + "traffic": { + "brain": { + "aggregated_peak_traffic_mbps": 0 + }, + "sensors": { + "EDR Sensor": { + "aggregated_peak_traffic_mbps": 5, + "interface_peak_traffic": { + "eth0": { + "peak_traffic_mbps": 5 + } + } + } + } + }, + "updated_at": "2025-04-18T07:17:34.000Z", + "vlans": { + "count": 1, + "vlan_ids": [ + "7" + ] + } + }, + "power": { + "error": "Power check for this device is not supported", + "power_supplies": [ + { + "source": "1" + } + ], + "status": "SKIP", + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "sensors": [ + { + "headend_ip": "175.16.199.24", + "id": "3", + "location": "hyp-2-37", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "EDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_ip": "175.16.199.24", + "id": "2", + "location": "hyp-2-35", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "XDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "12421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_url": "http://headend_uri/", + "id": "1", + "location": "hyp-2-30", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "DR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V4121353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + } + ], + "system": { + "serial_number": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "updated_at": "2025-04-18T07:17:33.000Z", + "uptime": "261 days, 13 hours, 33 minutes", + "version": { + "cloud_bridge": true, + "gmt": "2025-04-18T07:14:09.593Z", + "last_update": "2025-04-09T02:03:16.000Z", + "last_update_utc": "2025-04-09T02:03:16.000Z", + "mode": "brain", + "model": "VHE", + "vectra_instance_type": "medium", + "vectra_version": "9.0.3-2-62", + "vm_type": "vmware" + } + }, + "trafficdrop": { + "sensors": [ + { + "error": "All interfaces have traffic volume within range", + "ip_address": "1.128.0.0", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "output": [ + "o1", + "o2" + ], + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "error": "Interface have traffic volume within range", + "ip_address": "1.128.0.11", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "output": [ + { + "error": "error" + } + ], + "serial_number": "1421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ], + "updated_at": "2025-04-18T07:17:35.000Z" + } + } + } + } + ] +} diff --git a/packages/vectra_rux/data_stream/health/_dev/test/system/test-common-config.yml b/packages/vectra_rux/data_stream/health/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..9cddb3cb7ae --- /dev/null +++ b/packages/vectra_rux/data_stream/health/_dev/test/system/test-common-config.yml @@ -0,0 +1,13 @@ +input: cel +service: vectra_rux +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx +data_stream: + vars: + interval: 10s + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 1 diff --git a/packages/vectra_rux/data_stream/health/agent/stream/cel.yml.hbs b/packages/vectra_rux/data_stream/health/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..86a4acb3f84 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/agent/stream/cel.yml.hbs @@ -0,0 +1,67 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{url}}/oauth2/token +state: + version: v3.4 +redact: + fields: ~ +program: | + state.with( + request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/health" + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": [{"message": body.encode_json()}] + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/health: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/vectra_rux/data_stream/health/elasticsearch/ilm/default_policy.json b/packages/vectra_rux/data_stream/health/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..24bbfc79405 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "30d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/vectra_rux/data_stream/health/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_rux/data_stream/health/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..116b1c82ffd --- /dev/null +++ b/packages/vectra_rux/data_stream/health/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,851 @@ +--- +description: Pipeline for processing health logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - set: + field: event.kind + tag: set_event_kind + value: event + - set: + field: observer.product + tag: set_observer_product + value: Vectra RUX + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.network.interfaces + tag: rename_network_interfaces + target_field: vectra_rux.health.network.interfaces + ignore_missing: true + - foreach: + field: json.connectivity.sensors + if: ctx.json?.connectivity?.sensors instanceof List + processor: + convert: + field: _ingest._value.ip_address + tag: convert_connectivity_sensors_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.connectivity.sensors + if: ctx.json?.connectivity?.sensors instanceof List + processor: + append: + field: related.ip + tag: append_connectivity_sensors_ip_address + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - rename: + field: json.connectivity.sensors + tag: rename_connectivity_sensors + target_field: vectra_rux.health.connectivity.sensors + ignore_missing: true + - convert: + field: json.cpu.idle_percent + tag: convert_cpu_idle_percent_to_double + target_field: vectra_rux.health.cpu.idle_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.cpu.nice_percent + tag: convert_cpu_nice_percent_to_double + target_field: vectra_rux.health.cpu.nice_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.cpu.system_percent + tag: convert_cpu_system_percent_to_double + target_field: vectra_rux.health.cpu.system_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.cpu.updated_at + tag: date_cpu_updated_at + target_field: vectra_rux.health.cpu.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.cpu?.updated_at != null && ctx.json.cpu.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.cpu.user_percent + tag: convert_cpu_user_percent_to_double + target_field: vectra_rux.health.cpu.user_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: host.cpu.usage + tag: set_host_cpu_usage_from_health_cpu_user_percent + copy_from: vectra_rux.health.cpu.user_percent + ignore_empty_value: true + - rename: + field: json.detection.check_results + tag: rename_detection_check_results + target_field: vectra_rux.health.detection.check_results + ignore_missing: true + - rename: + field: json.detection.detection_type + tag: rename_detection_detection_type + target_field: vectra_rux.health.detection.detection_type + ignore_missing: true + - rename: + field: json.detection.message + tag: rename_detection_message + target_field: vectra_rux.health.detection.message + ignore_missing: true + - set: + field: message + tag: set_message_from_health_detection_message + copy_from: vectra_rux.health.detection.message + ignore_empty_value: true + - set: + field: threat.indicator.description + tag: set_threat_indicator_description_from_health_detection_message + copy_from: vectra_rux.health.detection.message + ignore_empty_value: true + - rename: + field: json.detection.name + tag: rename_detection_name + target_field: vectra_rux.health.detection.name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name_from_health_detection_name + copy_from: vectra_rux.health.detection.name + ignore_empty_value: true + - rename: + field: json.detection.status + tag: rename_detection_status + target_field: vectra_rux.health.detection.status + ignore_missing: true + - date: + field: json.detection.updated_at + tag: date_detection_updated_at + target_field: vectra_rux.health.detection.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.detection?.updated_at != null && ctx.json.detection.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.disk.degraded_raid_volume.error + tag: rename_disk_degraded_raid_volume_error + target_field: vectra_rux.health.disk.degraded_raid_volume.error + ignore_missing: true + - rename: + field: json.disk.degraded_raid_volume.output + tag: rename_disk_degraded_raid_volume_output + target_field: vectra_rux.health.disk.degraded_raid_volume.output + ignore_missing: true + - rename: + field: json.disk.degraded_raid_volume.status + tag: rename_disk_degraded_raid_volume_status + target_field: vectra_rux.health.disk.degraded_raid_volume.status + ignore_missing: true + - rename: + field: json.disk.disk_raid.error + tag: rename_disk_disk_raid_error + target_field: vectra_rux.health.disk.disk_raid.error + ignore_missing: true + - rename: + field: json.disk.disk_raid.output + tag: rename_disk_disk_raid_output + target_field: vectra_rux.health.disk.disk_raid.output + ignore_missing: true + - rename: + field: json.disk.disk_raid.status + tag: rename_disk_disk_raid_status + target_field: vectra_rux.health.disk.disk_raid.status + ignore_missing: true + - convert: + field: json.disk.disk_utilization.free_bytes + tag: convert_disk_disk_utilization_free_bytes_to_long + target_field: vectra_rux.health.disk.disk_utilization.free_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.disk.disk_utilization.total_bytes + tag: convert_disk_disk_utilization_total_bytes_to_long + target_field: vectra_rux.health.disk.disk_utilization.total_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.disk.disk_utilization.usage_percent + tag: convert_disk_disk_utilization_usage_percent_to_double + target_field: vectra_rux.health.disk.disk_utilization.usage_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.disk.disk_utilization.used_bytes + tag: convert_disk_disk_utilization_used_bytes_to_long + target_field: vectra_rux.health.disk.disk_utilization.used_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.disk.raid_disks_missing.error + tag: rename_disk_raid_disks_missing_error + target_field: vectra_rux.health.disk.raid_disks_missing.error + ignore_missing: true + - rename: + field: json.disk.raid_disks_missing.output + tag: rename_disk_raid_disks_missing_output + target_field: vectra_rux.health.disk.raid_disks_missing.output + ignore_missing: true + - rename: + field: json.disk.raid_disks_missing.status + tag: rename_disk_raid_disks_missing_status + target_field: vectra_rux.health.disk.raid_disks_missing.status + ignore_missing: true + - date: + field: json.disk.updated_at + tag: date_disk_updated_at + target_field: vectra_rux.health.disk.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.disk?.updated_at != null && ctx.json.disk.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.event_timestamp + tag: date_event_timestamp + target_field: vectra_rux.health.event_timestamp + formats: + - ISO8601 + if: ctx.json?.event_timestamp != null && ctx.json.event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_health_event_timestamp + copy_from: vectra_rux.health.event_timestamp + ignore_empty_value: true + - rename: + field: json.hostid.artifact_counts + tag: rename_hostid_artifact_counts + target_field: vectra_rux.health.hostid.artifact_counts + ignore_missing: true + - convert: + field: json.hostid.ip_always_percent + tag: convert_hostid_ip_always_percent_to_double + target_field: vectra_rux.health.hostid.ip_always_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.hostid.ip_sometimes_percent + tag: convert_hostid_ip_sometimes_percent_to_double + target_field: vectra_rux.health.hostid.ip_never_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.hostid.ip_never_percent + tag: convert_hostid_ip_never_percent_to_double + target_field: vectra_rux.health.hostid.ip_sometimes_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.hostid.updated_at + tag: date_hostid_updated_at + target_field: vectra_rux.health.hostid.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.hostid?.updated_at != null && ctx.json.hostid.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.memory.free_bytes + tag: convert_memory_free_bytes_to_long + target_field: vectra_rux.health.memory.free_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.memory.total_bytes + tag: convert_memory_total_bytes_to_long + target_field: vectra_rux.health.memory.total_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.memory.updated_at + tag: date_memory_updated_at + target_field: vectra_rux.health.memory.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.memory?.updated_at != null && ctx.json.memory.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.memory.usage_percent + tag: convert_memory_usage_percent_to_double + target_field: vectra_rux.health.memory.usage_percent + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.memory.used_bytes + tag: convert_memory_used_bytes_to_long + target_field: vectra_rux.health.memory.used_bytes + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.network.traffic + tag: rename_network_traffic + target_field: vectra_rux.health.network.traffic + ignore_missing: true + - date: + field: json.network.updated_at + tag: date_network_updated_at + target_field: vectra_rux.health.network.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.network?.updated_at != null && ctx.json.network.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.network.vlans.count + tag: convert_network_vlans_count_to_long + target_field: vectra_rux.health.network.vlans.count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.network.vlans.vlan_ids + if: ctx.json?.network?.vlans?.vlan_ids instanceof List + processor: + append: + field: network.vlan.id + tag: append_network_vlans_vlan_ids_into_network_vlan_id + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.network.vlans.vlan_ids + tag: rename_network_vlans_vlan_ids + target_field: vectra_rux.health.network.vlans.vlan_ids + ignore_missing: true + - rename: + field: json.power.error + tag: rename_power_error + target_field: vectra_rux.health.power.error + ignore_missing: true + - rename: + field: json.power.power_supplies + tag: rename_power_power_supplies + target_field: vectra_rux.health.power.power_supplies + ignore_missing: true + - rename: + field: json.power.status + tag: rename_power_status + target_field: vectra_rux.health.power.status + ignore_missing: true + - date: + field: json.power.updated_at + tag: date_power_updated_at + target_field: vectra_rux.health.power.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.power?.updated_at != null && ctx.json.power.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + convert: + field: _ingest._value.headend_uri + tag: convert_sensors_headend_uri_to_ip + target_field: _ingest._value.headend_ip + type: ip + ignore_missing: true + on_failure: + - set: + field: _ingest._value.headend_url + tag: set_sensors_headend_uri + value: '{{{_ingest._value.headend_uri}}}' + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + convert: + field: _ingest._value.ip_address + tag: convert_sensors_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + append: + field: observer.ip + tag: append_sensors_ip_address_into_observer_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + append: + field: related.ip + tag: append_sensors_ip_address_into_related_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + date: + field: _ingest._value.last_seen + tag: date_sensors_last_seen + target_field: _ingest._value.last_seen + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.last_seen + ignore_missing: true + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + append: + field: observer.name + tag: append_sensors_name_into_observer_name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + append: + field: observer.serial_number + tag: append_sensors_serial_number_into_observer_serial_number + value: '{{{_ingest._value.serial_number}}}' + allow_duplicates: false + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + convert: + field: _ingest._value.update_count + tag: convert_sensors_update_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.update_count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + append: + field: observer.version + tag: append_sensors_version_into_observer_version + value: '{{{_ingest._value.version}}}' + allow_duplicates: false + - foreach: + field: json.sensors + if: ctx.json?.sensors instanceof List + processor: + remove: + field: + - _ingest._value.ip_address + - _ingest._value.last_seen + - _ingest._value.headend_uri + tag: remove_sensors + ignore_missing: true + - rename: + field: json.sensors + tag: rename_sensors + target_field: vectra_rux.health.sensors + ignore_missing: true + - foreach: + field: vectra_rux.health.sensors + tag: foreach_vectra_rux_health_sensors_id + if: ctx.vectra_rux?.health?.sensors instanceof List + processor: + convert: + field: _ingest._value.id + tag: convert_vectra_rux_health_sensors_id_to_string + type: string + ignore_missing: true + - foreach: + field: vectra_rux.health.sensors + tag: foreach_vectra_rux_health_sensors_headend_ip + if: ctx.vectra_rux?.health?.sensors instanceof List + processor: + append: + field: related.ip + tag: append_vectra_rux_health_sensors_headend_ip_into_related_ip + value: '{{{_ingest._value.headend_ip}}}' + allow_duplicates: false + - rename: + field: json.system.serial_number + tag: rename_system_serial_number + target_field: vectra_rux.health.system.serial_number + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_health_system_serial_number + copy_from: vectra_rux.health.system.serial_number + ignore_empty_value: true + - date: + field: json.system.updated_at + tag: date_system_updated_at + target_field: vectra_rux.health.system.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.system?.updated_at != null && ctx.json.system.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.system.uptime + tag: rename_system_uptime + target_field: vectra_rux.health.system.uptime + ignore_missing: true + - convert: + field: json.system.version.cloud_bridge + tag: convert_system_version_cloud_bridge_to_boolean + target_field: vectra_rux.health.system.version.cloud_bridge + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.system.version.gmt + tag: date_system_version_gmt + target_field: vectra_rux.health.system.version.gmt + formats: + - ISO8601 + if: ctx.json?.system?.version?.gmt != null && ctx.json.system.version.gmt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.system.version.last_update + tag: date_system_version_last_update + target_field: vectra_rux.health.system.version.last_update + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + - ISO8601 + if: ctx.json?.system?.version?.last_update != null && ctx.json.system.version.last_update != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.system.version.last_update_utc + tag: date_system_version_last_update_utc + target_field: vectra_rux.health.system.version.last_update_utc + formats: + - ISO8601 + if: ctx.json?.system?.version?.last_update_utc != null && ctx.json.system.version.last_update_utc != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.system.version.mode + tag: rename_system_version_mode + target_field: vectra_rux.health.system.version.mode + ignore_missing: true + - rename: + field: json.system.version.model + tag: rename_system_version_model + target_field: vectra_rux.health.system.version.model + ignore_missing: true + - rename: + field: json.system.version.vectra_instance_type + tag: rename_system_version_vectra_instance_type + target_field: vectra_rux.health.system.version.vectra_instance_type + ignore_missing: true + - rename: + field: json.system.version.vectra_version + tag: rename_system_version_vectra_version + target_field: vectra_rux.health.system.version.vectra_version + ignore_missing: true + - rename: + field: json.system.version.vm_type + tag: rename_system_version_vm_type + target_field: vectra_rux.health.system.version.vm_type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_health_system_version_vm_type + copy_from: vectra_rux.health.system.version.vm_type + ignore_empty_value: true + - foreach: + field: json.trafficdrop.sensors + if: ctx.json?.trafficdrop?.sensors instanceof List + processor: + convert: + field: _ingest._value.ip_address + tag: convert_trafficdrop_sensors_ip_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.trafficdrop.sensors + if: ctx.json?.trafficdrop?.sensors instanceof List + processor: + append: + field: related.ip + tag: append_trafficdrop_sensors_ip_address + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - rename: + field: json.trafficdrop.sensors + tag: rename_trafficdrop_sensors + target_field: vectra_rux.health.trafficdrop.sensors + ignore_missing: true + - date: + field: json.trafficdrop.updated_at + tag: date_trafficdrop_updated_at + target_field: vectra_rux.health.trafficdrop.updated_at + formats: + - yyyy-MM-dd HH:mm:ssXXXXX + - yyyy-MM-d HH:mm:ssXXXXX + - yyyy-MM- d HH:mm:ssXXXXX + - ISO8601 + if: ctx.json?.trafficdrop?.updated_at != null && ctx.json.trafficdrop.updated_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: vectra_rux.health.sensors + if: ctx.vectra_rux?.health?.sensors instanceof List + processor: + remove: + field: + - _ingest._value.serial_number + - _ingest._value.version + - _ingest._value.ip_address + - _ingest._value.name + tag: remove_custom_duplicate_fields_from_vectra_rux_health_sensors + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - vectra_rux.health.network.vlans.vlan_ids + - vectra_rux.health.detection.message + - vectra_rux.health.detection.name + - vectra_rux.health.event_timestamp + - vectra_rux.health.system.serial_number + - vectra_rux.health.system.version.vm_type + - vectra_rux.health.sensors.serial_number + - vectra_rux.health.sensors.version + - vectra_rux.health.sensors.ip_address + - vectra_rux.health.sensors.name + - vectra_rux.health.cpu.user_percent + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/vectra_rux/data_stream/health/fields/base-fields.yml b/packages/vectra_rux/data_stream/health/fields/base-fields.yml new file mode 100644 index 00000000000..5d7a5958825 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: vectra_rux +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: vectra_rux.health +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/vectra_rux/data_stream/health/fields/beats.yml b/packages/vectra_rux/data_stream/health/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/vectra_rux/data_stream/health/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/vectra_rux/data_stream/health/fields/ecs.yml b/packages/vectra_rux/data_stream/health/fields/ecs.yml new file mode 100644 index 00000000000..cba7d8cdb84 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/fields/ecs.yml @@ -0,0 +1,4 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + value: Vectra diff --git a/packages/vectra_rux/data_stream/health/fields/fields.yml b/packages/vectra_rux/data_stream/health/fields/fields.yml new file mode 100644 index 00000000000..457e966d821 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/fields/fields.yml @@ -0,0 +1,253 @@ +- name: vectra_rux + type: group + fields: + - name: health + type: group + fields: + - name: connectivity + type: group + fields: + - name: sensors + type: group + fields: + - name: output + type: flattened + - name: affected_metadata_hours + type: keyword + description: Field not present if status is 'OK'. + - name: error + type: keyword + - name: ip_address + type: ip + - name: luid + type: keyword + - name: name + type: keyword + - name: serial_number + type: keyword + - name: status + type: keyword + description: Status can be OK, WARNING, CRITICAL, or UNKNOWN. + - name: cpu + type: group + fields: + - name: idle_percent + type: double + description: 'Percentage of CPU idle.' + - name: nice_percent + type: double + description: 'Percentage of CPU processing higher prioritized tasks.' + - name: system_percent + type: double + description: 'Percentage of CPU processing system specific tasks.' + - name: updated_at + type: date + - name: user_percent + type: double + description: 'Percentage of CPU processing tasks.' + - name: detection + type: group + fields: + - name: check_results + type: flattened + description: One entry per failing detection model, or exactly one entry if all detection models are healthy. + - name: detection_type + type: keyword + - name: message + type: keyword + - name: name + type: keyword + - name: status + type: keyword + description: Status can be OK or CRITICAL. + - name: updated_at + type: date + - name: disk + type: group + fields: + - name: degraded_raid_volume + type: group + fields: + - name: error + type: keyword + - name: output + type: keyword + - name: status + type: keyword + - name: disk_raid + type: group + fields: + - name: error + type: keyword + - name: output + type: keyword + - name: status + type: keyword + - name: disk_utilization + type: group + fields: + - name: free_bytes + type: long + - name: total_bytes + type: long + - name: usage_percent + type: double + - name: used_bytes + type: long + - name: raid_disks_missing + type: group + fields: + - name: error + type: keyword + - name: output + type: keyword + - name: status + type: keyword + - name: updated_at + type: date + - name: event_timestamp + type: date + - name: hostid + type: group + fields: + - name: artifact_counts + type: object + object_type: double + - name: ip_always_percent + type: double + - name: ip_never_percent + type: double + - name: ip_sometimes_percent + type: double + - name: updated_at + type: date + - name: memory + type: group + fields: + - name: free_bytes + type: long + - name: total_bytes + type: long + - name: updated_at + type: date + - name: usage_percent + type: double + - name: used_bytes + type: long + - name: network + type: group + fields: + - name: interfaces + type: flattened + - name: traffic + type: flattened + - name: updated_at + type: date + - name: vlans + type: group + fields: + - name: count + type: long + - name: vlan_ids + type: keyword + - name: power + type: group + fields: + - name: power_supplies + type: flattened + - name: error + type: keyword + - name: status + type: keyword + - name: updated_at + type: date + - name: sensors + type: group + fields: + - name: headend_ip + type: ip + - name: headend_url + type: keyword + - name: id + type: keyword + - name: ip_address + type: ip + - name: last_seen + type: date + - name: location + type: keyword + - name: luid + type: keyword + - name: mode + type: keyword + - name: name + type: keyword + - name: original_version + type: keyword + - name: product_name + type: keyword + - name: public_key + type: keyword + - name: serial_number + type: keyword + - name: ssh_tunnel_port + type: keyword + - name: status + type: keyword + - name: update_count + type: long + - name: version + type: keyword + - name: system + type: group + fields: + - name: serial_number + type: keyword + - name: updated_at + type: date + - name: uptime + type: keyword + - name: version + type: group + fields: + - name: cloud_bridge + type: boolean + - name: gmt + type: date + - name: last_update + type: date + - name: last_update_utc + type: date + - name: mode + type: keyword + - name: model + type: keyword + - name: vectra_instance_type + type: keyword + - name: vectra_version + type: keyword + - name: vm_type + type: keyword + - name: trafficdrop + type: group + fields: + - name: sensors + type: group + fields: + - name: output + type: flattened + - name: error + type: keyword + - name: ip_address + type: ip + - name: luid + type: keyword + - name: name + type: keyword + - name: serial_number + type: keyword + - name: status + type: keyword + description: Status can be OK, WARNING, UNKNOWN, or SKIP. + - name: updated_at + type: date diff --git a/packages/vectra_rux/data_stream/health/lifecycle.yml b/packages/vectra_rux/data_stream/health/lifecycle.yml new file mode 100644 index 00000000000..b56a81e81d7 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "30d" diff --git a/packages/vectra_rux/data_stream/health/manifest.yml b/packages/vectra_rux/data_stream/health/manifest.yml new file mode 100644 index 00000000000..785abb5b4b3 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/manifest.yml @@ -0,0 +1,67 @@ +title: Collect Health logs from Vectra RUX +type: logs +ilm_policy: logs-vectra_rux.health-default_policy +streams: + - input: cel + title: Health logs + description: Collect Health logs from Vectra RUX. + template_path: cel.yml.hbs + enabled: true + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s. + default: 15m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + default: false + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve vectra_rux.health fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - vectra_rux-health + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/vectra_rux/data_stream/health/sample_event.json b/packages/vectra_rux/data_stream/health/sample_event.json new file mode 100644 index 00000000000..cefcae1bc81 --- /dev/null +++ b/packages/vectra_rux/data_stream/health/sample_event.json @@ -0,0 +1,311 @@ +{ + "@timestamp": "2025-04-15T09:39:45.146Z", + "agent": { + "ephemeral_id": "179cd6a3-65f7-4a00-adde-438057bab374", + "id": "25cd8358-4959-42d7-b298-4f4de6a30faf", + "name": "elastic-agent-32052", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.health", + "namespace": "68011", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "25cd8358-4959-42d7-b298-4f4de6a30faf", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "vectra_rux.health", + "ingested": "2025-05-08T05:13:27Z", + "kind": "event", + "original": "{\"connectivity\":{\"sensors\":[{\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"],\"error\":\"metadata replication seems fine\",\"ip_address\":\"216.160.83.56\",\"luid\":\"w4ftj0a8\",\"name\":\"EDR Sensor\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"},{\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"],\"error\":\"metadata replication seems fine\",\"ip_address\":\"81.2.69.142\",\"luid\":\"w4ftj0a8\",\"name\":\"XDR Sensor\",\"serial_number\":\"V423ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"cpu\":{\"idle_percent\":43.9,\"nice_percent\":0,\"system_percent\":24.9,\"updated_at\":\"2025-04-18 07:17:35+00:00\",\"user_percent\":30},\"detection\":{\"detection_type\":\"AWS\",\"message\":\"This is detection message\",\"name\":\"Detection 1\",\"status\":\"OK\",\"updated_at\":\"2025-04-18 07:17:33+00:00\"},\"disk\":{\"degraded_raid_volume\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_raid\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_utilization\":{\"free_bytes\":10000109,\"total_bytes\":67444477952,\"usage_percent\":47,\"used_bytes\":33078743040},\"raid_disks_missing\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"updated_at\":\"2025-04-18 07:17:34+00:00\"},\"event_timestamp\":\"2025-04-15T09:39:45.146Z\",\"hostid\":{\"artifact_counts\":{\"TestEDR\":0,\"arsenic\":0,\"carbon_black\":0,\"cb_cloud\":0,\"clear_state\":0,\"cookie\":0,\"crowdstrike\":0,\"cybereason\":0,\"dhcp\":6606,\"dns\":27818,\"end_time\":0,\"fireeye\":0,\"generic_edr\":0,\"idle_end\":27818,\"idle_start\":27936,\"invalid\":0,\"kerberos\":209,\"kerberos_user\":0,\"mdns\":18575,\"netbios\":15596,\"proxy_ip\":0,\"rdns\":0,\"sentinelone\":0,\"split\":0,\"src_port\":0,\"static_ip\":0,\"total\":134681,\"uagent\":10122,\"vmachine_info\":0,\"windows_defender\":1,\"zpa_user\":0},\"ip_always_percent\":18.52,\"ip_never_percent\":79.01,\"ip_sometimes_percent\":2.47,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"memory\":{\"free_bytes\":5597118464,\"total_bytes\":67444477952,\"updated_at\":\"2025-04-18 07:17:35+00:00\",\"usage_percent\":47,\"used_bytes\":33078743040},\"network\":{\"updated_at\":\"2025-04-18 07:17:34+00:00\",\"vlans\":{\"count\":1,\"vlan_ids\":[\"7\",\"8\"]}},\"power\":{\"error\":\"Power check for this device is not supported\",\"status\":\"SKIP\",\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"sensors\":[{\"headend_uri\":\"175.16.199.24\",\"id\":3,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-37\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"EDR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"},{\"headend_uri\":\"175.16.199.24\",\"id\":2,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-35\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"XDR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"12421353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"},{\"headend_uri\":\"http://headend_uri/\",\"id\":1,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-30\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"DR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"V4121353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"}],\"system\":{\"serial_number\":\"VHE66258a5e8dafe76d9a5dd741abd94ee8\",\"updated_at\":\"2025-04-18 07:17:33+00:00\",\"uptime\":\"261 days, 13 hours, 33 minutes\",\"version\":{\"cloud_bridge\":true,\"gmt\":\"2025-04-18T07:14:09.593927Z\",\"last_update\":\"Wed Apr 9 02:03:16 2025\",\"last_update_utc\":\"2025-04-09T02:03:16+00:00\",\"mode\":\"brain\",\"model\":\"VHE\",\"vectra_instance_type\":\"medium\",\"vectra_version\":\"9.0.3-2-62\",\"vm_type\":\"vmware\"}},\"trafficdrop\":{\"sensors\":[{\"error\":\"All interfaces have traffic volume within range\",\"ip_address\":\"1.128.0.0\",\"luid\":\"w4ftj0a8\",\"name\":\"EDR Sensor\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"},{\"error\":\"Interface have traffic volume within range\",\"ip_address\":\"1.128.0.11\",\"luid\":\"w4ftj0a8\",\"name\":\"XDR Sensor\",\"serial_number\":\"1421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"}}" + }, + "host": { + "cpu": { + "usage": 30 + }, + "id": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "type": "vmware" + }, + "input": { + "type": "cel" + }, + "message": "This is detection message", + "network": { + "vlan": { + "id": [ + "7", + "8" + ] + } + }, + "observer": { + "ip": [ + "175.16.199.0" + ], + "name": [ + "EDR Sensor", + "XDR Sensor", + "DR Sensor" + ], + "product": "Vectra RUX", + "serial_number": [ + "V421353ef386550fb2f9a959fa3f52aee", + "12421353ef386550fb2f9a959fa3f52aee", + "V4121353ef386550fb2f9a959fa3f52aee" + ], + "version": [ + "9.0.3-1-62" + ] + }, + "related": { + "ip": [ + "216.160.83.56", + "81.2.69.142", + "175.16.199.0", + "175.16.199.24", + "1.128.0.0", + "1.128.0.11" + ] + }, + "rule": { + "name": "Detection 1" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-health" + ], + "threat": { + "indicator": { + "description": "This is detection message" + } + }, + "vectra_rux": { + "health": { + "connectivity": { + "sensors": [ + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "216.160.83.56", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "81.2.69.142", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "V423ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ] + }, + "cpu": { + "idle_percent": 43.9, + "nice_percent": 0, + "system_percent": 24.9, + "updated_at": "2025-04-18T07:17:35.000Z", + "user_percent": 30 + }, + "detection": { + "detection_type": "AWS", + "message": "This is detection message", + "name": "Detection 1", + "status": "OK", + "updated_at": "2025-04-18T07:17:33.000Z" + }, + "disk": { + "degraded_raid_volume": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_raid": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_utilization": { + "free_bytes": 10000109, + "total_bytes": 67444477952, + "usage_percent": 47, + "used_bytes": 33078743040 + }, + "raid_disks_missing": { + "error": "error", + "output": "output", + "status": "OK" + }, + "updated_at": "2025-04-18T07:17:34.000Z" + }, + "event_timestamp": "2025-04-15T09:39:45.146Z", + "hostid": { + "artifact_counts": { + "TestEDR": 0, + "arsenic": 0, + "carbon_black": 0, + "cb_cloud": 0, + "clear_state": 0, + "cookie": 0, + "crowdstrike": 0, + "cybereason": 0, + "dhcp": 6606, + "dns": 27818, + "end_time": 0, + "fireeye": 0, + "generic_edr": 0, + "idle_end": 27818, + "idle_start": 27936, + "invalid": 0, + "kerberos": 209, + "kerberos_user": 0, + "mdns": 18575, + "netbios": 15596, + "proxy_ip": 0, + "rdns": 0, + "sentinelone": 0, + "split": 0, + "src_port": 0, + "static_ip": 0, + "total": 134681, + "uagent": 10122, + "vmachine_info": 0, + "windows_defender": 1, + "zpa_user": 0 + }, + "ip_always_percent": 18.52, + "ip_never_percent": 2.47, + "ip_sometimes_percent": 79.01, + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "memory": { + "free_bytes": 5597118464, + "total_bytes": 67444477952, + "updated_at": "2025-04-18T07:17:35.000Z", + "usage_percent": 47, + "used_bytes": 33078743040 + }, + "network": { + "updated_at": "2025-04-18T07:17:34.000Z", + "vlans": { + "count": 1, + "vlan_ids": [ + "7", + "8" + ] + } + }, + "power": { + "error": "Power check for this device is not supported", + "status": "SKIP", + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "sensors": [ + { + "headend_ip": "175.16.199.24", + "id": "3", + "location": "hyp-2-37", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "EDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_ip": "175.16.199.24", + "id": "2", + "location": "hyp-2-35", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "XDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "12421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_url": "http://headend_uri/", + "id": "1", + "location": "hyp-2-30", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "DR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V4121353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + } + ], + "system": { + "serial_number": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "updated_at": "2025-04-18T07:17:33.000Z", + "uptime": "261 days, 13 hours, 33 minutes", + "version": { + "cloud_bridge": true, + "gmt": "2025-04-18T07:14:09.593Z", + "last_update": "2025-04-09T02:03:16.000Z", + "last_update_utc": "2025-04-09T02:03:16.000Z", + "mode": "brain", + "model": "VHE", + "vectra_instance_type": "medium", + "vectra_version": "9.0.3-2-62", + "vm_type": "vmware" + } + }, + "trafficdrop": { + "sensors": [ + { + "error": "All interfaces have traffic volume within range", + "ip_address": "1.128.0.0", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "error": "Interface have traffic volume within range", + "ip_address": "1.128.0.11", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "1421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ], + "updated_at": "2025-04-18T07:17:35.000Z" + } + } + } +} diff --git a/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-common-config.yml b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log new file mode 100644 index 00000000000..014b8b4d3c2 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log @@ -0,0 +1,2 @@ +{"id":1,"type":"account","entity_id":2,"entity_name":"O365:jsmith@vectra.ai","lock_event_timestamp":"2023-03-06T22:30:06Z","locked_by":"vadmin","certainty":0,"unlock_event_timestamp":"2023-04-07T23:50:00Z"} +{"id":1,"type":"host","entity_id":1184,"entity_name":"Windows10_Jump","lock_event_timestamp":"2024-03-01T18:20:20Z","locked_by":"vadmin","certainty":0,"unlock_event_timestamp":"2024-03-04T22:30:16Z"} diff --git a/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log-expected.json b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log-expected.json new file mode 100644 index 00000000000..ebc698f8b41 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/_dev/test/pipeline/test-lockdown.log-expected.json @@ -0,0 +1,98 @@ +{ + "expected": [ + { + "@timestamp": "2023-03-06T22:30:06.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "end": "2023-04-07T23:50:00.000Z", + "kind": "event", + "original": "{\"id\":1,\"type\":\"account\",\"entity_id\":2,\"entity_name\":\"O365:jsmith@vectra.ai\",\"lock_event_timestamp\":\"2023-03-06T22:30:06Z\",\"locked_by\":\"vadmin\",\"certainty\":0,\"unlock_event_timestamp\":\"2023-04-07T23:50:00Z\"}", + "start": "2023-03-06T22:30:06.000Z" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "user": [ + "2", + "O365:jsmith@vectra.ai", + "vadmin" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "email": "O365:jsmith@vectra.ai", + "id": "2", + "name": "vadmin" + }, + "vectra_rux": { + "lockdown": { + "certainty": 0, + "entity_id": "2", + "entity_name": "O365:jsmith@vectra.ai", + "id": "1", + "lock_event_timestamp": "2023-03-06T22:30:06.000Z", + "locked_by": "vadmin", + "type": "account", + "unlock_event_timestamp": "2023-04-07T23:50:00.000Z" + } + } + }, + { + "@timestamp": "2024-03-01T18:20:20.000Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "host" + ], + "end": "2024-03-04T22:30:16.000Z", + "kind": "event", + "original": "{\"id\":1,\"type\":\"host\",\"entity_id\":1184,\"entity_name\":\"Windows10_Jump\",\"lock_event_timestamp\":\"2024-03-01T18:20:20Z\",\"locked_by\":\"vadmin\",\"certainty\":0,\"unlock_event_timestamp\":\"2024-03-04T22:30:16Z\"}", + "start": "2024-03-01T18:20:20.000Z", + "type": [ + "info" + ] + }, + "host": { + "id": "1184", + "name": "Windows10_Jump" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "1184", + "Windows10_Jump" + ], + "user": [ + "vadmin" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "vadmin" + }, + "vectra_rux": { + "lockdown": { + "certainty": 0, + "entity_id": "1184", + "entity_name": "Windows10_Jump", + "id": "1", + "lock_event_timestamp": "2024-03-01T18:20:20.000Z", + "locked_by": "vadmin", + "type": "host", + "unlock_event_timestamp": "2024-03-04T22:30:16.000Z" + } + } + } + ] +} diff --git a/packages/vectra_rux/data_stream/lockdown/_dev/test/system/test-common-config.yml b/packages/vectra_rux/data_stream/lockdown/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..9cddb3cb7ae --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/_dev/test/system/test-common-config.yml @@ -0,0 +1,13 @@ +input: cel +service: vectra_rux +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx +data_stream: + vars: + interval: 10s + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 1 diff --git a/packages/vectra_rux/data_stream/lockdown/agent/stream/cel.yml.hbs b/packages/vectra_rux/data_stream/lockdown/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..c0e3b35dba5 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/agent/stream/cel.yml.hbs @@ -0,0 +1,69 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{url}}/oauth2/token +state: + version: v3.4 +redact: + fields: ~ +program: | + state.with( + request("GET", state.url.trim_right("/") + "/api/" + string(state.version) + "/lockdown" + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.map(e, { + "message": e.encode_json(), + }) + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/" + string(state.version) + "/lockdown: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/vectra_rux/data_stream/lockdown/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_rux/data_stream/lockdown/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..686b8706ae7 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,250 @@ +--- +description: Pipeline for processing lockdown logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - fingerprint: + fields: + - json.id + - json.entity_id + - json.lock_event_timestamp + - json.unlock_event_timestamp + tag: fingerprint_lockdown + target_field: _id + ignore_missing: true + - set: + field: event.kind + tag: set_event_kind + value: event + - set: + field: observer.product + tag: set_observer_product + value: Vectra RUX + - append: + field: event.category + tag: set_event_category + value: host + if: ctx.json?.type == 'host' + - append: + field: event.type + tag: set_event_type + value: info + if: ctx.json?.type == 'host' + - convert: + field: json.certainty + tag: convert_certainty_to_long + target_field: vectra_rux.lockdown.certainty + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.entity_id + tag: convert_entity_id_to_string + target_field: vectra_rux.lockdown.entity_id + type: string + ignore_missing: true + - set: + field: user.id + tag: set_user_id_from_lockdown_entity_id + copy_from: vectra_rux.lockdown.entity_id + ignore_empty_value: true + if: ctx.json?.type == 'account' + - append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null + - set: + field: host.id + tag: set_host_id_from_lockdown_entity_id + copy_from: vectra_rux.lockdown.entity_id + ignore_empty_value: true + if: ctx.json?.type == 'host' + - append: + field: related.hosts + tag: append_host_id_into_related_hosts + value: '{{{host.id}}}' + allow_duplicates: false + if: ctx.host?.id != null + - rename: + field: json.entity_name + tag: rename_entity_name + target_field: vectra_rux.lockdown.entity_name + ignore_missing: true + - set: + field: user.email + tag: set_user_email_from_lockdown_entity_name + copy_from: vectra_rux.lockdown.entity_name + ignore_empty_value: true + if: ctx.json?.type == 'account' && ctx.vectra_rux?.lockdown?.entity_name.contains("@") + - append: + field: related.user + tag: append_user_email_into_related_user + value: '{{{user.email}}}' + allow_duplicates: false + if: ctx.user?.email != null + - set: + field: host.name + tag: set_user_name_from_lockdown_entity_name + copy_from: vectra_rux.lockdown.entity_name + ignore_empty_value: true + if: ctx.json?.type == 'host' + - append: + field: related.hosts + tag: append_host_name_into_related_hosts + value: '{{{host.name}}}' + allow_duplicates: false + if: ctx.host?.name != null + - convert: + field: json.id + tag: convert_id_to_string + target_field: vectra_rux.lockdown.id + type: string + ignore_missing: true + - date: + field: json.lock_event_timestamp + tag: date_lock_event_timestamp + target_field: vectra_rux.lockdown.lock_event_timestamp + formats: + - ISO8601 + if: ctx.json?.lock_event_timestamp != null && ctx.json.lock_event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_lockdown_lock_event_timestamp + copy_from: vectra_rux.lockdown.lock_event_timestamp + ignore_empty_value: true + - set: + field: event.start + tag: set_event_start_from_lockdown_lock_event_timestamp + copy_from: vectra_rux.lockdown.lock_event_timestamp + ignore_empty_value: true + - rename: + field: json.locked_by + tag: rename_locked_by + target_field: vectra_rux.lockdown.locked_by + ignore_missing: true + - set: + field: user.name + tag: set_user_name_from_lockdown_locked_by + copy_from: vectra_rux.lockdown.locked_by + ignore_empty_value: true + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - rename: + field: json.type + tag: rename_type + target_field: vectra_rux.lockdown.type + ignore_missing: true + - date: + field: json.unlock_event_timestamp + tag: date_unlock_event_timestamp + target_field: vectra_rux.lockdown.unlock_event_timestamp + formats: + - ISO8601 + if: ctx.json?.unlock_event_timestamp != null && ctx.json.unlock_event_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end_from_lockdown_unlock_event_timestamp + copy_from: vectra_rux.lockdown.unlock_event_timestamp + ignore_empty_value: true + - remove: + field: + - vectra_rux.lockdown.entity_id + - vectra_rux.lockdown.lock_event_timestamp + - vectra_rux.lockdown.locked_by + - vectra_rux.lockdown.unlock_event_timestamp + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/vectra_rux/data_stream/lockdown/fields/base-fields.yml b/packages/vectra_rux/data_stream/lockdown/fields/base-fields.yml new file mode 100644 index 00000000000..716d5a17aba --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: vectra_rux +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: vectra_rux.lockdown +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/vectra_rux/data_stream/lockdown/fields/beats.yml b/packages/vectra_rux/data_stream/lockdown/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/vectra_rux/data_stream/lockdown/fields/ecs.yml b/packages/vectra_rux/data_stream/lockdown/fields/ecs.yml new file mode 100644 index 00000000000..cba7d8cdb84 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/fields/ecs.yml @@ -0,0 +1,4 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + value: Vectra diff --git a/packages/vectra_rux/data_stream/lockdown/fields/fields.yml b/packages/vectra_rux/data_stream/lockdown/fields/fields.yml new file mode 100644 index 00000000000..20d1951b2df --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/fields/fields.yml @@ -0,0 +1,29 @@ +- name: vectra_rux + type: group + fields: + - name: lockdown + type: group + fields: + - name: certainty + type: long + - name: entity_id + type: keyword + description: ID of the related entity. + - name: entity_name + type: keyword + description: Name of the related entity. + - name: id + type: keyword + description: Autoincrementing ID. + - name: lock_event_timestamp + type: date + description: Time when the lockdown occurred. + - name: locked_by + type: keyword + description: User who issued the lockdown. + - name: type + type: keyword + description: Type of the related entity. + - name: unlock_event_timestamp + type: date + description: Time when the lockdown expires. diff --git a/packages/vectra_rux/data_stream/lockdown/manifest.yml b/packages/vectra_rux/data_stream/lockdown/manifest.yml new file mode 100644 index 00000000000..a4119b95f86 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/manifest.yml @@ -0,0 +1,66 @@ +title: Collect Lockdown logs from Vectra RUX +type: logs +streams: + - input: cel + title: Lockdown logs + description: Collect Lockdown logs from Vectra RUX. + template_path: cel.yml.hbs + enabled: true + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Vectra RUX API. Supported units for this parameter are h/m/s. + default: 15m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + default: false + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve vectra_rux.lockdown fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - vectra_rux-lockdown + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/vectra_rux/data_stream/lockdown/sample_event.json b/packages/vectra_rux/data_stream/lockdown/sample_event.json new file mode 100644 index 00000000000..65bccc21f42 --- /dev/null +++ b/packages/vectra_rux/data_stream/lockdown/sample_event.json @@ -0,0 +1,78 @@ +{ + "@timestamp": "2023-03-06T22:30:06.000Z", + "agent": { + "ephemeral_id": "37d3c565-b736-4b82-a0ad-be1e92db36ed", + "id": "03e0c104-ccc5-42d7-ac56-8d19b25af6ac", + "name": "elastic-agent-31520", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.lockdown", + "namespace": "46084", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "03e0c104-ccc5-42d7-ac56-8d19b25af6ac", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "vectra_rux.lockdown", + "end": "2023-04-07T23:50:00.000Z", + "ingested": "2025-05-08T05:14:19Z", + "kind": "event", + "original": "{\"certainty\":0,\"entity_id\":1184,\"entity_name\":\"Windows10_Jump\",\"id\":1,\"lock_event_timestamp\":\"2023-03-06T22:30:06Z\",\"locked_by\":\"vadmin\",\"type\":\"host\",\"unlock_event_timestamp\":\"2023-04-07T23:50:00Z\"}", + "start": "2023-03-06T22:30:06.000Z", + "type": [ + "info" + ] + }, + "host": { + "id": "1184", + "name": "Windows10_Jump" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "1184", + "Windows10_Jump" + ], + "user": [ + "vadmin" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-lockdown" + ], + "user": { + "name": "vadmin" + }, + "vectra_rux": { + "lockdown": { + "certainty": 0, + "entity_id": "1184", + "entity_name": "Windows10_Jump", + "id": "1", + "lock_event_timestamp": "2023-03-06T22:30:06.000Z", + "locked_by": "vadmin", + "type": "host", + "unlock_event_timestamp": "2023-04-07T23:50:00.000Z" + } + } +} diff --git a/packages/vectra_rux/docs/README.md b/packages/vectra_rux/docs/README.md new file mode 100644 index 00000000000..5cabab269cf --- /dev/null +++ b/packages/vectra_rux/docs/README.md @@ -0,0 +1,1063 @@ +# Vectra RUX + +## Overview + +[Vectra AI](https://www.vectra.ai/) is a provider of cybersecurity solutions, including threat detection and response solutions. Vectra AI also provides cloud security, detects ransomware, secures remote workplaces, hunts and investigates threats, and offers investigations, risk and compliance services. + +This integration enables to collect, parse Audit, Detection Event, Entity Event, Health and Lockdown data via [Vectra RUX REST API](https://support.vectra.ai/vectra/article/KB-VS-1835), then visualise the data in Kibana. + +## Data streams + +The Vectra RUX integration collects logs for five types of events. + +**Audit:** Audit allows collecting Audit Log Events, which are recorded whenever a user performs an action on the system. These events are sequential and provide a reliable audit trail of user activity. + +**Detection Event:** Detection Event allows collecting Detection Events, which are generated upon the initial detection and each subsequent update. + +**Entity Event:** Entity Event allows collecting Entity scoring events, which are generated whenever an entity's score changes, such as during initial threat detection, the discovery of additional detections, or updates to existing ones. + +**Health:** Health allows collecting system health data, with API responses that may vary based on product subscriptions such as Network, AWS, or M365. + +**Lockdown:** Lockdown allows collecting entities lockdown status for accounts and hosts type, that are currently in lockdown mode. + +## Requirements + +### Agentless enabled integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent based installation +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). +You can install only one Elastic Agent per host. +Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +## Compatibility + +For Rest API, this module has been tested against the **v3.4** version. + +## Setup + +### To collect data from the Vectra RUX API: + +1. Navigate to **Manage > API Clients** in Vectra Console. +2. Click on **Add API Client**. +3. Add **Client Name**, **Description** and select the appropriate **Role** based on the endpoint, as outlined in the below table: + | Endpoint | Role | + | -----------------------| -------------------| + | Audit | Auditor | + | Detection Event | Read-Only | + | Entity Event | Read-Only | + | Health | Auditor | + | Lockdown | Read-Only | +4. Click **Generate Credentials**. +5. Copy **Client ID** and **Secret Key**. + +For more details, see [Documentation](https://support.vectra.ai/vectra/article/KB-VS-1572). + +### Enabling the integration in Elastic: + +1. In Kibana navigate to Management > Integrations. +2. In "Search for integrations" top bar, search for `Vectra RUX`. +3. Select the "Vectra RUX" integration from the search results. +4. Select "Add Vectra RUX" to add the integration. +5. Add all the required integration configuration parameters, including the URL, Client ID, Client Secret, Interval, and Initial Interval, to enable data collection for REST API input type. +6. Select "Save and continue" to save the integration. + +## Logs reference + +### Audit + +This is the `Audit` dataset. + +#### Example + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2025-02-01T00:00:00.000Z", + "agent": { + "ephemeral_id": "2ad22f71-fc0e-431f-ac9b-5cce9186e1ef", + "id": "22610512-ee45-4ec8-8a19-124542ad0a82", + "name": "elastic-agent-97577", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.audit", + "namespace": "34718", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "22610512-ee45-4ec8-8a19-124542ad0a82", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "action": "updated", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "vectra_rux.audit", + "ingested": "2025-05-08T05:10:37Z", + "kind": "event", + "original": "{\"api_client_id\":\"0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b\",\"event_action\":\"updated\",\"event_data\":{},\"event_object\":\"account_tags\",\"event_timestamp\":\"2025-02-01T00:00:00.000Z\",\"id\":3,\"message\":\"[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']\",\"result_status\":\"success\",\"source_ip\":\"89.160.20.156\",\"user_id\":3,\"user_role\":\"Security Analyst\",\"user_type\":\"API_CLIENT\",\"username\":\"admin\",\"version\":\"2022.0.0\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "input": { + "type": "cel" + }, + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "observer": { + "product": "Vectra RUX", + "version": "2022.0.0" + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "3", + "admin" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-audit" + ], + "user": { + "id": "3", + "name": "admin", + "roles": [ + "Security Analyst" + ] + }, + "vectra_rux": { + "audit": { + "api_client_id": "0cc5c3a9-4b1d-4b3a-9c5c-3a9b1d4b3a9b", + "event": { + "action": "updated", + "object": "account_tags", + "timestamp": "2025-02-01T00:00:00.000Z" + }, + "id": "3", + "message": "[table:linked_account][id:1] with tags [] was changed to ['tag1', 'tag2', 'tag3', 'tag4', 'tag5', 'tag6']", + "result_status": "success", + "source_ip": "89.160.20.156", + "user": { + "id": "3", + "name": "admin", + "role": "Security Analyst", + "type": "API_CLIENT" + }, + "version": "2022.0.0" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | | constant_keyword | +| vectra_rux.audit.api_client_id | API client ID, if an event was caused by an API client interaction. | keyword | +| vectra_rux.audit.event.action | What type of action is being audited. | keyword | +| vectra_rux.audit.event.data | JSON data specific to the event type. | flattened | +| vectra_rux.audit.event.object | The object type the audited action is being performed on. | keyword | +| vectra_rux.audit.event.timestamp | Event timestamp (UTC) in ISO-8601 format. | date | +| vectra_rux.audit.id | Auto incrementing ID. | keyword | +| vectra_rux.audit.message | Message describing the event. | keyword | +| vectra_rux.audit.result_status | Result status of the event. "success" or "failure". | keyword | +| vectra_rux.audit.source_ip | IP address of the user/API client. | ip | +| vectra_rux.audit.user.id | User ID of the user account associated with the event. | keyword | +| vectra_rux.audit.user.name | Username of the account associated with the event, at the time of the event. | keyword | +| vectra_rux.audit.user.role | Role the user/API client had at the time of the event. | keyword | +| vectra_rux.audit.user.type | User type. | keyword | +| vectra_rux.audit.version | Vectra UI version at the time of the event. | keyword | + + +### Detection Event + +This is the `Detection Event` dataset. + +#### Example + +An example event for `detection_event` looks as following: + +```json +{ + "@timestamp": "2022-09-13T16:31:35.000Z", + "agent": { + "ephemeral_id": "f902a8e6-4c67-4620-9db4-c0a260f8c994", + "id": "e1f117dc-bfd4-4ff6-9b98-2e4040a1b329", + "name": "elastic-agent-18657", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.detection_event", + "namespace": "24621", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e1f117dc-bfd4-4ff6-9b98-2e4040a1b329", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "vectra_rux.detection_event", + "id": "959", + "ingested": "2025-05-08T05:11:36Z", + "kind": "alert", + "original": "{\"category\":\"command_and_control\",\"certainty\":50,\"d_type_vname\":\"Azure AD Redundant Access Creation\",\"detail\":{},\"detection_href\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341\",\"detection_id\":959,\"detection_type\":\"Azure AD Redundant Access Creation\",\"entity_href\":\"https://207031206993.uw2.devportal.vectra.ai/accounts/1\",\"entity_id\":1,\"entity_uid\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"event_timestamp\":\"2022-09-13T16:31:35Z\",\"id\":5,\"mitre\":[\"T1526\"],\"severity\":5,\"src_entity\":\"O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4\",\"threat\":50,\"triaged\":false,\"type\":\"account\",\"url\":\"https://207031206993.uw2.devportal.vectra.ai/detections/959\"}", + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "severity": 5, + "type": [ + "indicator" + ], + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "user": [ + "1" + ] + }, + "rule": { + "name": "Azure AD Redundant Access Creation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-detection_event" + ], + "threat": { + "indicator": { + "reference": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341" + }, + "tactic": { + "name": [ + "command_and_control" + ] + }, + "technique": { + "id": [ + "T1526" + ] + } + }, + "url": { + "domain": "207031206993.uw2.devportal.vectra.ai", + "original": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "path": "/detections/959", + "query": "detail_id=94341", + "scheme": "https" + }, + "user": { + "id": "1", + "risk": { + "calculated_score": 50 + } + }, + "vectra_rux": { + "detection_event": { + "category": "command_and_control", + "certainty": 50, + "d_type_vname": "Azure AD Redundant Access Creation", + "detection": { + "href": "https://207031206993.uw2.devportal.vectra.ai/detections/959?detail_id=94341", + "id": "959", + "type": "Azure AD Redundant Access Creation" + }, + "entity": { + "id": "1", + "uid": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4" + }, + "event_timestamp": "2022-09-13T16:31:35.000Z", + "id": "5", + "mitre": [ + "T1526" + ], + "severity": 5, + "src_entity": "O365:ServicePrincipal_3fb87dda-882a-49e1-88b9-67d2499b2fd4", + "threat": 50, + "triaged": false, + "type": "account", + "url": "https://207031206993.uw2.devportal.vectra.ai/detections/959" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | | constant_keyword | +| vectra_rux.detection_event.category | The detection category. | keyword | +| vectra_rux.detection_event.certainty | The certainty score attributed to the detection. | long | +| vectra_rux.detection_event.d_type_vname | The detection name. | keyword | +| vectra_rux.detection_event.detail | The detection detail. | flattened | +| vectra_rux.detection_event.detection.href | Link to the detection. | keyword | +| vectra_rux.detection_event.detection.id | The ID of the detection. | keyword | +| vectra_rux.detection_event.detection.type | Type of detection. | keyword | +| vectra_rux.detection_event.entity.id | Id of the related entity. | keyword | +| vectra_rux.detection_event.entity.uid | UID of the related entity. | keyword | +| vectra_rux.detection_event.event_timestamp | Timestamp when the Account Detection Event occurred. | date | +| vectra_rux.detection_event.id | The ID of the Account Detection Event. | keyword | +| vectra_rux.detection_event.mitre | Type of Mitre Technique. | keyword | +| vectra_rux.detection_event.severity | The severity of the detection. | long | +| vectra_rux.detection_event.src_entity | | keyword | +| vectra_rux.detection_event.threat | The threat score attributed to the detection. | long | +| vectra_rux.detection_event.triaged | Indicates whether the detection has been triaged. | boolean | +| vectra_rux.detection_event.type | Type of the related entity. | keyword | +| vectra_rux.detection_event.url | Corresponding URL of the detection event. | keyword | + + +### Entity Event + +This is the `Entity Event` dataset. + +#### Example + +An example event for `entity_event` looks as following: + +```json +{ + "@timestamp": "2022-07-07T00:14:31.000Z", + "agent": { + "ephemeral_id": "8e279852-4243-469f-91ad-8d0997ef64f6", + "id": "e80a9f22-25ca-45f5-9e14-925407b71763", + "name": "elastic-agent-21664", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.entity_event", + "namespace": "67167", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e80a9f22-25ca-45f5-9e14-925407b71763", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "vectra_rux.entity_event", + "id": "100", + "ingested": "2025-05-08T05:12:29Z", + "kind": "event", + "original": "{\"active_detection_types\":[\"hidden_https_tunnel_cnc\"],\"attack_rating\":0,\"breadth_contrib\":0,\"category\":\"HOST_SCORING\",\"entity_id\":100,\"event_timestamp\":\"2022-07-07T00:14:31Z\",\"id\":1,\"importance\":0,\"is_prioritized\":false,\"last_detection\":{\"id\":103,\"type\":\"hidden_https_tunnel_cnc\",\"url\":\"https://200888808432.uw2.devportal.vectra.ai/detections/103\"},\"name\":\"piper-desktop\",\"severity\":\"Low\",\"type\":\"host\",\"urgency_reason\":\"Ransomware: This entity was prioritized because it was implicated in an active ransomware detection\",\"urgency_score\":0,\"url\":\"https://200888808432.uw2.devportal.vectra.ai/accounts/8\",\"velocity_contrib\":0}", + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "severity": 33, + "type": [ + "info" + ], + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8" + }, + "host": { + "id": "100", + "name": "piper-desktop" + }, + "input": { + "type": "cel" + }, + "message": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "100", + "piper-desktop" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-entity_event", + "vectra_rux-entity_event-host" + ], + "threat": { + "indicator": { + "reference": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + } + }, + "url": { + "domain": "200888808432.uw2.devportal.vectra.ai", + "original": "https://200888808432.uw2.devportal.vectra.ai/detections/103", + "path": "/detections/103", + "scheme": "https" + }, + "vectra_rux": { + "entity_event": { + "active_detection_types": [ + "hidden_https_tunnel_cnc" + ], + "attack_rating": 0, + "breadth_contrib": 0, + "category": "HOST_SCORING", + "entity_id": "100", + "event_timestamp": "2022-07-07T00:14:31.000Z", + "id": "1", + "importance": 0, + "is_prioritized": false, + "last_detection": { + "id": "103", + "type": "hidden_https_tunnel_cnc", + "url": "https://200888808432.uw2.devportal.vectra.ai/detections/103" + }, + "name": "piper-desktop", + "severity": "Low", + "type": "host", + "urgency": { + "reason": "Ransomware: This entity was prioritized because it was implicated in an active ransomware detection", + "score": 0 + }, + "url": "https://200888808432.uw2.devportal.vectra.ai/accounts/8", + "velocity_contrib": 0 + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | | constant_keyword | +| vectra_rux.entity_event.active_detection_types | A list of all active detection types on the entity. | keyword | +| vectra_rux.entity_event.attack_rating | | long | +| vectra_rux.entity_event.breadth_contrib | Breadth contribution of the entity. | long | +| vectra_rux.entity_event.category | The event category. | keyword | +| vectra_rux.entity_event.entity_id | Entity ID. | keyword | +| vectra_rux.entity_event.event_timestamp | Timestamp when the detection event occurred. | date | +| vectra_rux.entity_event.id | | keyword | +| vectra_rux.entity_event.importance | Importance score of the entity. | long | +| vectra_rux.entity_event.is_prioritized | Whether or not the priority of this entity is above the configured priority threshold. | boolean | +| vectra_rux.entity_event.last_detection.id | | keyword | +| vectra_rux.entity_event.last_detection.type | | keyword | +| vectra_rux.entity_event.last_detection.url | | keyword | +| vectra_rux.entity_event.name | The name associated with the account, or the learned hostname. | keyword | +| vectra_rux.entity_event.severity | Entity severity. | keyword | +| vectra_rux.entity_event.type | Entity type. | keyword | +| vectra_rux.entity_event.urgency.reason | Reason behind the urgency_score. | keyword | +| vectra_rux.entity_event.urgency.score | Priority or urgency of the entity. | long | +| vectra_rux.entity_event.url | The URL link directly to this entity. | keyword | +| vectra_rux.entity_event.velocity_contrib | Velocity contribution of the entity. | long | + + +### Health + +This is the `Health` dataset. + +#### Example + +An example event for `health` looks as following: + +```json +{ + "@timestamp": "2025-04-15T09:39:45.146Z", + "agent": { + "ephemeral_id": "179cd6a3-65f7-4a00-adde-438057bab374", + "id": "25cd8358-4959-42d7-b298-4f4de6a30faf", + "name": "elastic-agent-32052", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.health", + "namespace": "68011", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "25cd8358-4959-42d7-b298-4f4de6a30faf", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "vectra_rux.health", + "ingested": "2025-05-08T05:13:27Z", + "kind": "event", + "original": "{\"connectivity\":{\"sensors\":[{\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"],\"error\":\"metadata replication seems fine\",\"ip_address\":\"216.160.83.56\",\"luid\":\"w4ftj0a8\",\"name\":\"EDR Sensor\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"},{\"affected_metadata_hours\":[\"2025-04-18T00:00:00Z\",\"2025-04-18T01:00:00Z\"],\"error\":\"metadata replication seems fine\",\"ip_address\":\"81.2.69.142\",\"luid\":\"w4ftj0a8\",\"name\":\"XDR Sensor\",\"serial_number\":\"V423ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"cpu\":{\"idle_percent\":43.9,\"nice_percent\":0,\"system_percent\":24.9,\"updated_at\":\"2025-04-18 07:17:35+00:00\",\"user_percent\":30},\"detection\":{\"detection_type\":\"AWS\",\"message\":\"This is detection message\",\"name\":\"Detection 1\",\"status\":\"OK\",\"updated_at\":\"2025-04-18 07:17:33+00:00\"},\"disk\":{\"degraded_raid_volume\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_raid\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"disk_utilization\":{\"free_bytes\":10000109,\"total_bytes\":67444477952,\"usage_percent\":47,\"used_bytes\":33078743040},\"raid_disks_missing\":{\"error\":\"error\",\"output\":\"output\",\"status\":\"OK\"},\"updated_at\":\"2025-04-18 07:17:34+00:00\"},\"event_timestamp\":\"2025-04-15T09:39:45.146Z\",\"hostid\":{\"artifact_counts\":{\"TestEDR\":0,\"arsenic\":0,\"carbon_black\":0,\"cb_cloud\":0,\"clear_state\":0,\"cookie\":0,\"crowdstrike\":0,\"cybereason\":0,\"dhcp\":6606,\"dns\":27818,\"end_time\":0,\"fireeye\":0,\"generic_edr\":0,\"idle_end\":27818,\"idle_start\":27936,\"invalid\":0,\"kerberos\":209,\"kerberos_user\":0,\"mdns\":18575,\"netbios\":15596,\"proxy_ip\":0,\"rdns\":0,\"sentinelone\":0,\"split\":0,\"src_port\":0,\"static_ip\":0,\"total\":134681,\"uagent\":10122,\"vmachine_info\":0,\"windows_defender\":1,\"zpa_user\":0},\"ip_always_percent\":18.52,\"ip_never_percent\":79.01,\"ip_sometimes_percent\":2.47,\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"memory\":{\"free_bytes\":5597118464,\"total_bytes\":67444477952,\"updated_at\":\"2025-04-18 07:17:35+00:00\",\"usage_percent\":47,\"used_bytes\":33078743040},\"network\":{\"updated_at\":\"2025-04-18 07:17:34+00:00\",\"vlans\":{\"count\":1,\"vlan_ids\":[\"7\",\"8\"]}},\"power\":{\"error\":\"Power check for this device is not supported\",\"status\":\"SKIP\",\"updated_at\":\"2025-04-18 07:17:35+00:00\"},\"sensors\":[{\"headend_uri\":\"175.16.199.24\",\"id\":3,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-37\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"EDR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"},{\"headend_uri\":\"175.16.199.24\",\"id\":2,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-35\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"XDR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"12421353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"},{\"headend_uri\":\"http://headend_uri/\",\"id\":1,\"ip_address\":\"175.16.199.0\",\"last_seen\":\"2025-04-18T07:15:37.685Z\",\"location\":\"hyp-2-30\",\"luid\":\"w4ftj0a8\",\"mode\":\"sensor\",\"name\":\"DR Sensor\",\"original_version\":\"7.9.0-17-38\",\"product_name\":\"DCS\",\"public_key\":\"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\\n-----END PUBLIC KEY-----\\n\",\"serial_number\":\"V4121353ef386550fb2f9a959fa3f52aee\",\"ssh_tunnel_port\":\"38113\",\"status\":\"paired\",\"update_count\":0,\"version\":\"9.0.3-1-62\"}],\"system\":{\"serial_number\":\"VHE66258a5e8dafe76d9a5dd741abd94ee8\",\"updated_at\":\"2025-04-18 07:17:33+00:00\",\"uptime\":\"261 days, 13 hours, 33 minutes\",\"version\":{\"cloud_bridge\":true,\"gmt\":\"2025-04-18T07:14:09.593927Z\",\"last_update\":\"Wed Apr 9 02:03:16 2025\",\"last_update_utc\":\"2025-04-09T02:03:16+00:00\",\"mode\":\"brain\",\"model\":\"VHE\",\"vectra_instance_type\":\"medium\",\"vectra_version\":\"9.0.3-2-62\",\"vm_type\":\"vmware\"}},\"trafficdrop\":{\"sensors\":[{\"error\":\"All interfaces have traffic volume within range\",\"ip_address\":\"1.128.0.0\",\"luid\":\"w4ftj0a8\",\"name\":\"EDR Sensor\",\"serial_number\":\"V421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"},{\"error\":\"Interface have traffic volume within range\",\"ip_address\":\"1.128.0.11\",\"luid\":\"w4ftj0a8\",\"name\":\"XDR Sensor\",\"serial_number\":\"1421353ef386550fb2f9a959fa3f52aee\",\"status\":\"OK\"}],\"updated_at\":\"2025-04-18 07:17:35+00:00\"}}" + }, + "host": { + "cpu": { + "usage": 30 + }, + "id": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "type": "vmware" + }, + "input": { + "type": "cel" + }, + "message": "This is detection message", + "network": { + "vlan": { + "id": [ + "7", + "8" + ] + } + }, + "observer": { + "ip": [ + "175.16.199.0" + ], + "name": [ + "EDR Sensor", + "XDR Sensor", + "DR Sensor" + ], + "product": "Vectra RUX", + "serial_number": [ + "V421353ef386550fb2f9a959fa3f52aee", + "12421353ef386550fb2f9a959fa3f52aee", + "V4121353ef386550fb2f9a959fa3f52aee" + ], + "version": [ + "9.0.3-1-62" + ] + }, + "related": { + "ip": [ + "216.160.83.56", + "81.2.69.142", + "175.16.199.0", + "175.16.199.24", + "1.128.0.0", + "1.128.0.11" + ] + }, + "rule": { + "name": "Detection 1" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-health" + ], + "threat": { + "indicator": { + "description": "This is detection message" + } + }, + "vectra_rux": { + "health": { + "connectivity": { + "sensors": [ + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "216.160.83.56", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "affected_metadata_hours": [ + "2025-04-18T00:00:00Z", + "2025-04-18T01:00:00Z" + ], + "error": "metadata replication seems fine", + "ip_address": "81.2.69.142", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "V423ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ] + }, + "cpu": { + "idle_percent": 43.9, + "nice_percent": 0, + "system_percent": 24.9, + "updated_at": "2025-04-18T07:17:35.000Z", + "user_percent": 30 + }, + "detection": { + "detection_type": "AWS", + "message": "This is detection message", + "name": "Detection 1", + "status": "OK", + "updated_at": "2025-04-18T07:17:33.000Z" + }, + "disk": { + "degraded_raid_volume": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_raid": { + "error": "error", + "output": "output", + "status": "OK" + }, + "disk_utilization": { + "free_bytes": 10000109, + "total_bytes": 67444477952, + "usage_percent": 47, + "used_bytes": 33078743040 + }, + "raid_disks_missing": { + "error": "error", + "output": "output", + "status": "OK" + }, + "updated_at": "2025-04-18T07:17:34.000Z" + }, + "event_timestamp": "2025-04-15T09:39:45.146Z", + "hostid": { + "artifact_counts": { + "TestEDR": 0, + "arsenic": 0, + "carbon_black": 0, + "cb_cloud": 0, + "clear_state": 0, + "cookie": 0, + "crowdstrike": 0, + "cybereason": 0, + "dhcp": 6606, + "dns": 27818, + "end_time": 0, + "fireeye": 0, + "generic_edr": 0, + "idle_end": 27818, + "idle_start": 27936, + "invalid": 0, + "kerberos": 209, + "kerberos_user": 0, + "mdns": 18575, + "netbios": 15596, + "proxy_ip": 0, + "rdns": 0, + "sentinelone": 0, + "split": 0, + "src_port": 0, + "static_ip": 0, + "total": 134681, + "uagent": 10122, + "vmachine_info": 0, + "windows_defender": 1, + "zpa_user": 0 + }, + "ip_always_percent": 18.52, + "ip_never_percent": 2.47, + "ip_sometimes_percent": 79.01, + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "memory": { + "free_bytes": 5597118464, + "total_bytes": 67444477952, + "updated_at": "2025-04-18T07:17:35.000Z", + "usage_percent": 47, + "used_bytes": 33078743040 + }, + "network": { + "updated_at": "2025-04-18T07:17:34.000Z", + "vlans": { + "count": 1, + "vlan_ids": [ + "7", + "8" + ] + } + }, + "power": { + "error": "Power check for this device is not supported", + "status": "SKIP", + "updated_at": "2025-04-18T07:17:35.000Z" + }, + "sensors": [ + { + "headend_ip": "175.16.199.24", + "id": "3", + "location": "hyp-2-37", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "EDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_ip": "175.16.199.24", + "id": "2", + "location": "hyp-2-35", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "XDR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "12421353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + }, + { + "headend_url": "http://headend_uri/", + "id": "1", + "location": "hyp-2-30", + "luid": "w4ftj0a8", + "mode": "sensor", + "name": "DR Sensor", + "original_version": "7.9.0-17-38", + "product_name": "DCS", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1y0zv2goBjkol/8TggJJ\nMgP03tIZ6B6w9PVpF/bK8KTT0/hinX8PHP/MdDS58sVE6DuAqAkkELqN55f35AhB\nOqztY9xWDH8bO7Y0P0kbBIQ9+/abyfNpaxbiQe5Yk8oClyEgtXH4GKJCNxkGgbIb\n-----END PUBLIC KEY-----\n", + "serial_number": "V4121353ef386550fb2f9a959fa3f52aee", + "ssh_tunnel_port": "38113", + "status": "paired", + "update_count": 0, + "version": "9.0.3-1-62" + } + ], + "system": { + "serial_number": "VHE66258a5e8dafe76d9a5dd741abd94ee8", + "updated_at": "2025-04-18T07:17:33.000Z", + "uptime": "261 days, 13 hours, 33 minutes", + "version": { + "cloud_bridge": true, + "gmt": "2025-04-18T07:14:09.593Z", + "last_update": "2025-04-09T02:03:16.000Z", + "last_update_utc": "2025-04-09T02:03:16.000Z", + "mode": "brain", + "model": "VHE", + "vectra_instance_type": "medium", + "vectra_version": "9.0.3-2-62", + "vm_type": "vmware" + } + }, + "trafficdrop": { + "sensors": [ + { + "error": "All interfaces have traffic volume within range", + "ip_address": "1.128.0.0", + "luid": "w4ftj0a8", + "name": "EDR Sensor", + "serial_number": "V421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + }, + { + "error": "Interface have traffic volume within range", + "ip_address": "1.128.0.11", + "luid": "w4ftj0a8", + "name": "XDR Sensor", + "serial_number": "1421353ef386550fb2f9a959fa3f52aee", + "status": "OK" + } + ], + "updated_at": "2025-04-18T07:17:35.000Z" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | | constant_keyword | +| vectra_rux.health.connectivity.sensors.affected_metadata_hours | Field not present if status is 'OK'. | keyword | +| vectra_rux.health.connectivity.sensors.error | | keyword | +| vectra_rux.health.connectivity.sensors.ip_address | | ip | +| vectra_rux.health.connectivity.sensors.luid | | keyword | +| vectra_rux.health.connectivity.sensors.name | | keyword | +| vectra_rux.health.connectivity.sensors.output | | flattened | +| vectra_rux.health.connectivity.sensors.serial_number | | keyword | +| vectra_rux.health.connectivity.sensors.status | Status can be OK, WARNING, CRITICAL, or UNKNOWN. | keyword | +| vectra_rux.health.cpu.idle_percent | Percentage of CPU idle. | double | +| vectra_rux.health.cpu.nice_percent | Percentage of CPU processing higher prioritized tasks. | double | +| vectra_rux.health.cpu.system_percent | Percentage of CPU processing system specific tasks. | double | +| vectra_rux.health.cpu.updated_at | | date | +| vectra_rux.health.cpu.user_percent | Percentage of CPU processing tasks. | double | +| vectra_rux.health.detection.check_results | One entry per failing detection model, or exactly one entry if all detection models are healthy. | flattened | +| vectra_rux.health.detection.detection_type | | keyword | +| vectra_rux.health.detection.message | | keyword | +| vectra_rux.health.detection.name | | keyword | +| vectra_rux.health.detection.status | Status can be OK or CRITICAL. | keyword | +| vectra_rux.health.detection.updated_at | | date | +| vectra_rux.health.disk.degraded_raid_volume.error | | keyword | +| vectra_rux.health.disk.degraded_raid_volume.output | | keyword | +| vectra_rux.health.disk.degraded_raid_volume.status | | keyword | +| vectra_rux.health.disk.disk_raid.error | | keyword | +| vectra_rux.health.disk.disk_raid.output | | keyword | +| vectra_rux.health.disk.disk_raid.status | | keyword | +| vectra_rux.health.disk.disk_utilization.free_bytes | | long | +| vectra_rux.health.disk.disk_utilization.total_bytes | | long | +| vectra_rux.health.disk.disk_utilization.usage_percent | | double | +| vectra_rux.health.disk.disk_utilization.used_bytes | | long | +| vectra_rux.health.disk.raid_disks_missing.error | | keyword | +| vectra_rux.health.disk.raid_disks_missing.output | | keyword | +| vectra_rux.health.disk.raid_disks_missing.status | | keyword | +| vectra_rux.health.disk.updated_at | | date | +| vectra_rux.health.event_timestamp | | date | +| vectra_rux.health.hostid.artifact_counts | | object | +| vectra_rux.health.hostid.ip_always_percent | | double | +| vectra_rux.health.hostid.ip_never_percent | | double | +| vectra_rux.health.hostid.ip_sometimes_percent | | double | +| vectra_rux.health.hostid.updated_at | | date | +| vectra_rux.health.memory.free_bytes | | long | +| vectra_rux.health.memory.total_bytes | | long | +| vectra_rux.health.memory.updated_at | | date | +| vectra_rux.health.memory.usage_percent | | double | +| vectra_rux.health.memory.used_bytes | | long | +| vectra_rux.health.network.interfaces | | flattened | +| vectra_rux.health.network.traffic | | flattened | +| vectra_rux.health.network.updated_at | | date | +| vectra_rux.health.network.vlans.count | | long | +| vectra_rux.health.network.vlans.vlan_ids | | keyword | +| vectra_rux.health.power.error | | keyword | +| vectra_rux.health.power.power_supplies | | flattened | +| vectra_rux.health.power.status | | keyword | +| vectra_rux.health.power.updated_at | | date | +| vectra_rux.health.sensors.headend_ip | | ip | +| vectra_rux.health.sensors.headend_url | | keyword | +| vectra_rux.health.sensors.id | | keyword | +| vectra_rux.health.sensors.ip_address | | ip | +| vectra_rux.health.sensors.last_seen | | date | +| vectra_rux.health.sensors.location | | keyword | +| vectra_rux.health.sensors.luid | | keyword | +| vectra_rux.health.sensors.mode | | keyword | +| vectra_rux.health.sensors.name | | keyword | +| vectra_rux.health.sensors.original_version | | keyword | +| vectra_rux.health.sensors.product_name | | keyword | +| vectra_rux.health.sensors.public_key | | keyword | +| vectra_rux.health.sensors.serial_number | | keyword | +| vectra_rux.health.sensors.ssh_tunnel_port | | keyword | +| vectra_rux.health.sensors.status | | keyword | +| vectra_rux.health.sensors.update_count | | long | +| vectra_rux.health.sensors.version | | keyword | +| vectra_rux.health.system.serial_number | | keyword | +| vectra_rux.health.system.updated_at | | date | +| vectra_rux.health.system.uptime | | keyword | +| vectra_rux.health.system.version.cloud_bridge | | boolean | +| vectra_rux.health.system.version.gmt | | date | +| vectra_rux.health.system.version.last_update | | date | +| vectra_rux.health.system.version.last_update_utc | | date | +| vectra_rux.health.system.version.mode | | keyword | +| vectra_rux.health.system.version.model | | keyword | +| vectra_rux.health.system.version.vectra_instance_type | | keyword | +| vectra_rux.health.system.version.vectra_version | | keyword | +| vectra_rux.health.system.version.vm_type | | keyword | +| vectra_rux.health.trafficdrop.sensors.error | | keyword | +| vectra_rux.health.trafficdrop.sensors.ip_address | | ip | +| vectra_rux.health.trafficdrop.sensors.luid | | keyword | +| vectra_rux.health.trafficdrop.sensors.name | | keyword | +| vectra_rux.health.trafficdrop.sensors.output | | flattened | +| vectra_rux.health.trafficdrop.sensors.serial_number | | keyword | +| vectra_rux.health.trafficdrop.sensors.status | Status can be OK, WARNING, UNKNOWN, or SKIP. | keyword | +| vectra_rux.health.trafficdrop.updated_at | | date | + + +### Lockdown + +This is the `Lockdown` dataset. + +#### Example + +An example event for `lockdown` looks as following: + +```json +{ + "@timestamp": "2023-03-06T22:30:06.000Z", + "agent": { + "ephemeral_id": "37d3c565-b736-4b82-a0ad-be1e92db36ed", + "id": "03e0c104-ccc5-42d7-ac56-8d19b25af6ac", + "name": "elastic-agent-31520", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "vectra_rux.lockdown", + "namespace": "46084", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "03e0c104-ccc5-42d7-ac56-8d19b25af6ac", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "vectra_rux.lockdown", + "end": "2023-04-07T23:50:00.000Z", + "ingested": "2025-05-08T05:14:19Z", + "kind": "event", + "original": "{\"certainty\":0,\"entity_id\":1184,\"entity_name\":\"Windows10_Jump\",\"id\":1,\"lock_event_timestamp\":\"2023-03-06T22:30:06Z\",\"locked_by\":\"vadmin\",\"type\":\"host\",\"unlock_event_timestamp\":\"2023-04-07T23:50:00Z\"}", + "start": "2023-03-06T22:30:06.000Z", + "type": [ + "info" + ] + }, + "host": { + "id": "1184", + "name": "Windows10_Jump" + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Vectra RUX" + }, + "related": { + "hosts": [ + "1184", + "Windows10_Jump" + ], + "user": [ + "vadmin" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "vectra_rux-lockdown" + ], + "user": { + "name": "vadmin" + }, + "vectra_rux": { + "lockdown": { + "certainty": 0, + "entity_id": "1184", + "entity_name": "Windows10_Jump", + "id": "1", + "lock_event_timestamp": "2023-03-06T22:30:06.000Z", + "locked_by": "vadmin", + "type": "host", + "unlock_event_timestamp": "2023-04-07T23:50:00.000Z" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | | constant_keyword | +| vectra_rux.lockdown.certainty | | long | +| vectra_rux.lockdown.entity_id | ID of the related entity. | keyword | +| vectra_rux.lockdown.entity_name | Name of the related entity. | keyword | +| vectra_rux.lockdown.id | Autoincrementing ID. | keyword | +| vectra_rux.lockdown.lock_event_timestamp | Time when the lockdown occurred. | date | +| vectra_rux.lockdown.locked_by | User who issued the lockdown. | keyword | +| vectra_rux.lockdown.type | Type of the related entity. | keyword | +| vectra_rux.lockdown.unlock_event_timestamp | Time when the lockdown expires. | date | diff --git a/packages/vectra_rux/img/audit-dashboard.png b/packages/vectra_rux/img/audit-dashboard.png new file mode 100644 index 00000000000..e953eed93a0 Binary files /dev/null and b/packages/vectra_rux/img/audit-dashboard.png differ diff --git a/packages/vectra_rux/img/detection-event-dashboard.png b/packages/vectra_rux/img/detection-event-dashboard.png new file mode 100644 index 00000000000..f5272f2a573 Binary files /dev/null and b/packages/vectra_rux/img/detection-event-dashboard.png differ diff --git a/packages/vectra_rux/img/entity-event-dashboard.png b/packages/vectra_rux/img/entity-event-dashboard.png new file mode 100644 index 00000000000..7f78bfdd6ab Binary files /dev/null and b/packages/vectra_rux/img/entity-event-dashboard.png differ diff --git a/packages/vectra_rux/img/health-dashboard.png b/packages/vectra_rux/img/health-dashboard.png new file mode 100644 index 00000000000..43871d09edc Binary files /dev/null and b/packages/vectra_rux/img/health-dashboard.png differ diff --git a/packages/vectra_rux/img/lockdown-dashboard.png b/packages/vectra_rux/img/lockdown-dashboard.png new file mode 100644 index 00000000000..0b9aca00e64 Binary files /dev/null and b/packages/vectra_rux/img/lockdown-dashboard.png differ diff --git a/packages/vectra_rux/img/vectra_rux-logo.svg b/packages/vectra_rux/img/vectra_rux-logo.svg new file mode 100644 index 00000000000..2bfef920897 --- /dev/null +++ b/packages/vectra_rux/img/vectra_rux-logo.svg @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/vectra_rux/kibana/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d.json b/packages/vectra_rux/kibana/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d.json new file mode 100644 index 00000000000..a8973788a62 --- /dev/null +++ b/packages/vectra_rux/kibana/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d.json @@ -0,0 +1,1397 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.health" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.health" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4a618339-51c5-4580-9823-b7c1a60a35a4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4a618339-51c5-4580-9823-b7c1a60a35a4": { + "columnOrder": [ + "095c417f-db24-4edd-ab32-8962f067320e" + ], + "columns": { + "095c417f-db24-4edd-ab32-8962f067320e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"host.cpu.usage\": *" + }, + "isBucketed": false, + "label": "User - CPU usage (%)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "%" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "host.cpu.usage" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "4a618339-51c5-4580-9823-b7c1a60a35a4", + "layerType": "data", + "metricAccessor": "095c417f-db24-4edd-ab32-8962f067320e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "8b3b6c46-5cdb-4af1-a629-d7c6552a8ba4", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "8b3b6c46-5cdb-4af1-a629-d7c6552a8ba4", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5123deb2-4cab-45d4-b3c6-fcdf58572a04", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5123deb2-4cab-45d4-b3c6-fcdf58572a04": { + "columnOrder": [ + "ccde8ad8-61cf-4f54-bf30-8d8c9dc21325", + "5a89ed66-6492-4c1a-bd5b-feb2e94f30b1", + "0f6d421c-f032-4eef-a5be-75c9c85c4e27" + ], + "columns": { + "0f6d421c-f032-4eef-a5be-75c9c85c4e27": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.memory.used_bytes\": *" + }, + "isBucketed": false, + "label": "Memory Used Bytes", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.memory.used_bytes" + }, + "5a89ed66-6492-4c1a-bd5b-feb2e94f30b1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.memory.free_bytes\": *" + }, + "isBucketed": false, + "label": "Memory Free Bytes", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.memory.free_bytes" + }, + "ccde8ad8-61cf-4f54-bf30-8d8c9dc21325": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "5a89ed66-6492-4c1a-bd5b-feb2e94f30b1", + "0f6d421c-f032-4eef-a5be-75c9c85c4e27" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5123deb2-4cab-45d4-b3c6-fcdf58572a04", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "ccde8ad8-61cf-4f54-bf30-8d8c9dc21325" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Memory Usage" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 19, + "i": "b3ce1777-77ca-42be-a02a-2edfbffa198b", + "w": 20, + "x": 8, + "y": 5 + }, + "panelIndex": "b3ce1777-77ca-42be-a02a-2edfbffa198b", + "title": "Memory Utilization Over Time [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f69a7fbd-0615-4f7a-9563-73310629ec3f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f69a7fbd-0615-4f7a-9563-73310629ec3f": { + "columnOrder": [ + "fe266c89-5fad-4092-a5e7-704370dc1a14", + "c9d2ddd6-7376-4f74-b89b-717f7733d77c", + "31f3f151-83c2-4c25-9466-6e1ca835c0aa" + ], + "columns": { + "31f3f151-83c2-4c25-9466-6e1ca835c0aa": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.disk.disk_utilization.used_bytes\": *" + }, + "isBucketed": false, + "label": "Disk Utilization Used Bytes", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.disk.disk_utilization.used_bytes" + }, + "c9d2ddd6-7376-4f74-b89b-717f7733d77c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.disk.disk_utilization.free_bytes\": *" + }, + "isBucketed": false, + "label": "Disk Utilization Free Bytes", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.disk.disk_utilization.free_bytes" + }, + "fe266c89-5fad-4092-a5e7-704370dc1a14": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "c9d2ddd6-7376-4f74-b89b-717f7733d77c", + "31f3f151-83c2-4c25-9466-6e1ca835c0aa" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f69a7fbd-0615-4f7a-9563-73310629ec3f", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "fe266c89-5fad-4092-a5e7-704370dc1a14" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Disk Usage" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 19, + "i": "eba6f2bc-4bfa-4009-910f-4c858e0abd63", + "w": 20, + "x": 28, + "y": 5 + }, + "panelIndex": "eba6f2bc-4bfa-4009-910f-4c858e0abd63", + "title": "Disk Utilization Over Time [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-94158cb1-3cbd-4392-8260-135bb26c33e8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "94158cb1-3cbd-4392-8260-135bb26c33e8": { + "columnOrder": [ + "789e69d5-ddb9-436f-980f-6b0d64c82e11" + ], + "columns": { + "789e69d5-ddb9-436f-980f-6b0d64c82e11": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.cpu.system_percent\": *" + }, + "isBucketed": false, + "label": "System - CPU usage (%)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 2, + "suffix": "%" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.cpu.system_percent" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "94158cb1-3cbd-4392-8260-135bb26c33e8", + "layerType": "data", + "metricAccessor": "789e69d5-ddb9-436f-980f-6b0d64c82e11" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "54236cd4-328c-4b65-875f-0acdb3d6ff78", + "w": 8, + "x": 16, + "y": 0 + }, + "panelIndex": "54236cd4-328c-4b65-875f-0acdb3d6ff78", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-75129c53-63ac-4a20-a187-93accebe18ef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "75129c53-63ac-4a20-a187-93accebe18ef": { + "columnOrder": [ + "2400ff29-5096-44a6-8bc0-dca0ecc0fb1d" + ], + "columns": { + "2400ff29-5096-44a6-8bc0-dca0ecc0fb1d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.disk.disk_utilization.usage_percent\": *" + }, + "isBucketed": false, + "label": "Total Disk usage (%)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "%" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.disk.disk_utilization.usage_percent" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "75129c53-63ac-4a20-a187-93accebe18ef", + "layerType": "data", + "metricAccessor": "2400ff29-5096-44a6-8bc0-dca0ecc0fb1d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "3ad7675b-8914-4796-9c16-9dd23cf87d18", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "3ad7675b-8914-4796-9c16-9dd23cf87d18", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6c28f08-6050-474a-8ab5-3273342e1875", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d6c28f08-6050-474a-8ab5-3273342e1875": { + "columnOrder": [ + "d97385da-7d10-42d4-a68d-1741a5be6d92" + ], + "columns": { + "d97385da-7d10-42d4-a68d-1741a5be6d92": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.cpu.idle_percent\": *" + }, + "isBucketed": false, + "label": "Idle - CPU usage (%)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "%" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.cpu.idle_percent" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "d6c28f08-6050-474a-8ab5-3273342e1875", + "layerType": "data", + "metricAccessor": "d97385da-7d10-42d4-a68d-1741a5be6d92" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "bea3ca4f-0a9e-43fa-981c-2e8bc2331e8c", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "bea3ca4f-0a9e-43fa-981c-2e8bc2331e8c", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7c28d12-e986-498c-a3e5-8ae34239295c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f7c28d12-e986-498c-a3e5-8ae34239295c": { + "columnOrder": [ + "27a848c7-8b60-4936-bf97-ce81681405a9" + ], + "columns": { + "27a848c7-8b60-4936-bf97-ce81681405a9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.memory.usage_percent\": *" + }, + "isBucketed": false, + "label": "Total Memory Usage (%)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "%" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.health.memory.usage_percent" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "f7c28d12-e986-498c-a3e5-8ae34239295c", + "layerType": "data", + "metricAccessor": "27a848c7-8b60-4936-bf97-ce81681405a9" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "e8cf1ba5-5f1d-4b25-b693-840577d3b30a", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "e8cf1ba5-5f1d-4b25-b693-840577d3b30a", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d804b148-4681-480a-9901-6700a4fc885d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d804b148-4681-480a-9901-6700a4fc885d": { + "columnOrder": [ + "cc18d22b-3986-460e-a66d-2219b2647641", + "fcb2e787-e0d4-4f8e-9f63-8fe245469746", + "eb710ecb-d8e6-40b0-834e-272f6667e1b0" + ], + "columns": { + "cc18d22b-3986-460e-a66d-2219b2647641": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Power Status", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "eb710ecb-d8e6-40b0-834e-272f6667e1b0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.health.power.status" + }, + "eb710ecb-d8e6-40b0-834e-272f6667e1b0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fcb2e787-e0d4-4f8e-9f63-8fe245469746": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.health.power.error\": *" + }, + "isBucketed": false, + "label": "Power Error", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "vectra_rux.health.power.error" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "fcb2e787-e0d4-4f8e-9f63-8fe245469746", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "cc18d22b-3986-460e-a66d-2219b2647641", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "eb710ecb-d8e6-40b0-834e-272f6667e1b0", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "d804b148-4681-480a-9901-6700a4fc885d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "6bae0631-885b-4007-a88e-f1d83cec5ba5", + "w": 20, + "x": 28, + "y": 24 + }, + "panelIndex": "6bae0631-885b-4007-a88e-f1d83cec5ba5", + "title": "Top 10 Power Status [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-46bd0820-cbad-4277-8f2f-43b6bb8ef30d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "46bd0820-cbad-4277-8f2f-43b6bb8ef30d": { + "columnOrder": [ + "7a92fcc9-c8cc-46fc-aaec-18336777c712", + "a36854cb-163f-46d3-81db-abe9975b4999" + ], + "columns": { + "7a92fcc9-c8cc-46fc-aaec-18336777c712": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Vlan ID", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a36854cb-163f-46d3-81db-abe9975b4999", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "network.vlan.id" + }, + "a36854cb-163f-46d3-81db-abe9975b4999": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "7a92fcc9-c8cc-46fc-aaec-18336777c712", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "a36854cb-163f-46d3-81db-abe9975b4999", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "46bd0820-cbad-4277-8f2f-43b6bb8ef30d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "3d975a48-87c8-41aa-8613-4c7bd41093a1", + "w": 20, + "x": 8, + "y": 24 + }, + "panelIndex": "3d975a48-87c8-41aa-8613-4c7bd41093a1", + "title": "Top 10 Network Vlan ID [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### Vectra RUX\n\n[Audit](#/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8) \n[Detection Events](#/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb) \n[Entity Events](#/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717) \n**Health** \n[Lockdown](#/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05) \n\n#### Description\n\nThis dashboard is designed to provide comprehensive visibility into system health metrics using the Health data stream within the Vectra RUX platform.\n\nIt offers an overview of key system performance indicators such as CPU usage (User, System, and Idle), Total Memory and Disk usage percentage, as well as Memory and Disk Utilization trends over time. The dashboard also highlights the Top 10 Network VLAN IDs and Power Statuses to help identify potential networking or hardware-related issues, and provides detailed insights into sensor metrics including connectivity and traffic status.\n\n**[Integration Page](/app/integrations/detail/vectra_rux/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "ae0d552c-1bf3-49c4-a04b-afcab456e360", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "ae0d552c-1bf3-49c4-a04b-afcab456e360", + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 19, + "i": "a5de98fa-bff2-493b-b8c2-4634476e89d4", + "w": 48, + "x": 0, + "y": 39 + }, + "panelIndex": "a5de98fa-bff2-493b-b8c2-4634476e89d4", + "panelRefName": "panel_a5de98fa-bff2-493b-b8c2-4634476e89d4", + "title": "Sensors Essential Details [Logs Vectra RUX]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Vectra RUX] Health", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T09:28:55.444Z", + "id": "vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5", + "name": "a5de98fa-bff2-493b-b8c2-4634476e89d4:panel_a5de98fa-bff2-493b-b8c2-4634476e89d4", + "type": "search" + }, + { + "id": "logs-*", + "name": "8b3b6c46-5cdb-4af1-a629-d7c6552a8ba4:indexpattern-datasource-layer-4a618339-51c5-4580-9823-b7c1a60a35a4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b3ce1777-77ca-42be-a02a-2edfbffa198b:indexpattern-datasource-layer-5123deb2-4cab-45d4-b3c6-fcdf58572a04", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eba6f2bc-4bfa-4009-910f-4c858e0abd63:indexpattern-datasource-layer-f69a7fbd-0615-4f7a-9563-73310629ec3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "54236cd4-328c-4b65-875f-0acdb3d6ff78:indexpattern-datasource-layer-94158cb1-3cbd-4392-8260-135bb26c33e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3ad7675b-8914-4796-9c16-9dd23cf87d18:indexpattern-datasource-layer-75129c53-63ac-4a20-a187-93accebe18ef", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bea3ca4f-0a9e-43fa-981c-2e8bc2331e8c:indexpattern-datasource-layer-d6c28f08-6050-474a-8ab5-3273342e1875", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e8cf1ba5-5f1d-4b25-b693-840577d3b30a:indexpattern-datasource-layer-f7c28d12-e986-498c-a3e5-8ae34239295c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6bae0631-885b-4007-a88e-f1d83cec5ba5:indexpattern-datasource-layer-d804b148-4681-480a-9901-6700a4fc885d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3d975a48-87c8-41aa-8613-4c7bd41093a1:indexpattern-datasource-layer-46bd0820-cbad-4277-8f2f-43b6bb8ef30d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05.json b/packages/vectra_rux/kibana/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05.json new file mode 100644 index 00000000000..25850f60628 --- /dev/null +++ b/packages/vectra_rux/kibana/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05.json @@ -0,0 +1,531 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "8b2393ea-c020-45c9-b167-98e8cab9085d": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": null, + "existsSelected": null, + "fieldName": "vectra_rux.lockdown.type", + "hideActionBar": null, + "hideExclude": null, + "hideExists": null, + "hideSort": null, + "placeholder": null, + "runPastTimeout": null, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": null, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Entity Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.lockdown" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.lockdown" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9d01e3e4-03cd-4c70-b100-78aec29a6b90", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9d01e3e4-03cd-4c70-b100-78aec29a6b90": { + "columnOrder": [ + "b9ba3da2-d4d3-4727-ab03-edf49b31b6a6", + "ae18fd10-7af5-4e1e-a6f2-c9997dbde3fd" + ], + "columns": { + "ae18fd10-7af5-4e1e-a6f2-c9997dbde3fd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b9ba3da2-d4d3-4727-ab03-edf49b31b6a6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ae18fd10-7af5-4e1e-a6f2-c9997dbde3fd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.lockdown.type" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9d01e3e4-03cd-4c70-b100-78aec29a6b90", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "ae18fd10-7af5-4e1e-a6f2-c9997dbde3fd" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "b9ba3da2-d4d3-4727-ab03-edf49b31b6a6" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "3b90902c-a2b7-4497-9032-755b776e1b96", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "3b90902c-a2b7-4497-9032-755b776e1b96", + "title": "Lockdown by Type [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-895ddd7e-cdc3-42b8-bc70-3c9f3be12eac", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "895ddd7e-cdc3-42b8-bc70-3c9f3be12eac": { + "columnOrder": [ + "c41ba4d6-cce9-468c-ae78-fc164597ec8d", + "86fb395b-ad38-495e-a787-69697c045c2a", + "06c03e29-e403-42f0-9ce3-052d4585f781" + ], + "columns": { + "06c03e29-e403-42f0-9ce3-052d4585f781": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "86fb395b-ad38-495e-a787-69697c045c2a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c41ba4d6-cce9-468c-ae78-fc164597ec8d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "06c03e29-e403-42f0-9ce3-052d4585f781", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "06c03e29-e403-42f0-9ce3-052d4585f781" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "895ddd7e-cdc3-42b8-bc70-3c9f3be12eac", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c41ba4d6-cce9-468c-ae78-fc164597ec8d", + "xAccessor": "86fb395b-ad38-495e-a787-69697c045c2a" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "b27e8fcc-7e29-48c9-96cd-87c8994c675b", + "w": 19, + "x": 10, + "y": 0 + }, + "panelIndex": "b27e8fcc-7e29-48c9-96cd-87c8994c675b", + "title": "Lockdown by User Over Time [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 14, + "i": "e9b25a6f-8dc9-4faa-9009-58fc526c6153", + "w": 38, + "x": 10, + "y": 16 + }, + "panelIndex": "e9b25a6f-8dc9-4faa-9009-58fc526c6153", + "panelRefName": "panel_e9b25a6f-8dc9-4faa-9009-58fc526c6153", + "title": "Lockdown Essential Details [Logs Vectra RUX]", + "type": "search" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### Vectra RUX\n\n[Audit](#/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8) \n[Detection Events](#/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb) \n[Entity Events](#/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717) \n[Health](#/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d) \n**Lockdown**\n\n#### Description\n\nThis dashboard track and summarize entity lockdown activities. They include overviews by entity type, breakdowns by lockdown type, user activity over time, and essential details like who locked or unlocked an entity and when.\n\n**[Integration Page](/app/integrations/detail/vectra_rux/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 30, + "i": "57b83a01-ea8e-4f1b-b6c9-42af04b28838", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "57b83a01-ea8e-4f1b-b6c9-42af04b28838", + "type": "visualization" + } + ], + "timeRestore": false, + "title": "[Logs Vectra RUX] Lockdown", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T10:05:01.424Z", + "id": "vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67", + "name": "e9b25a6f-8dc9-4faa-9009-58fc526c6153:panel_e9b25a6f-8dc9-4faa-9009-58fc526c6153", + "type": "search" + }, + { + "id": "logs-*", + "name": "3b90902c-a2b7-4497-9032-755b776e1b96:indexpattern-datasource-layer-9d01e3e4-03cd-4c70-b100-78aec29a6b90", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b27e8fcc-7e29-48c9-96cd-87c8994c675b:indexpattern-datasource-layer-895ddd7e-cdc3-42b8-bc70-3c9f3be12eac", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_8b2393ea-c020-45c9-b167-98e8cab9085d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb.json b/packages/vectra_rux/kibana/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb.json new file mode 100644 index 00000000000..52b2572247b --- /dev/null +++ b/packages/vectra_rux/kibana/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb.json @@ -0,0 +1,2019 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "06efe577-8146-4059-8597-6b0f4be0371e": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "vectra_rux.detection_event.detection.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Detection Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "4562b53a-c40d-45d0-b47a-61373a8e3cd0": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vectra_rux.detection_event.category", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Category" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "e5dd009c-25af-4690-bca6-d83860f482fc": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "vectra_rux.detection_event.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Entity Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.detection_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.detection_event" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Detection Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "98edab62-7f29-4a96-a2e7-27c32a1b0d98", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "98edab62-7f29-4a96-a2e7-27c32a1b0d98", + "title": "Total Detection Events [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dc20e940-a507-4a72-b2ae-ecaee2b5d971", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Account Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.type", + "index": "dc20e940-a507-4a72-b2ae-ecaee2b5d971", + "key": "vectra_rux.detection_event.type", + "negate": false, + "params": { + "query": "account" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.type": "account" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.type", + "index": "logs-*", + "key": "vectra_rux.detection_event.type", + "negate": false, + "params": { + "query": "account" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.type": "account" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "fef0d8a4-7260-4f86-8f7b-713a60e087a9", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "fef0d8a4-7260-4f86-8f7b-713a60e087a9", + "title": "Account Events [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6debe352-032a-4395-842c-b1f2b691767e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Host Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.type", + "index": "6debe352-032a-4395-842c-b1f2b691767e", + "key": "vectra_rux.detection_event.type", + "negate": false, + "params": { + "query": "host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.type": "host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.type", + "index": "logs-*", + "key": "vectra_rux.detection_event.type", + "negate": false, + "params": { + "query": "host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.type": "host" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "b77ea5ea-d63b-4145-90e6-faa35d9a6fe9", + "w": 8, + "x": 16, + "y": 0 + }, + "panelIndex": "b77ea5ea-d63b-4145-90e6-faa35d9a6fe9", + "title": "Host Events [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bce8e7aa-afce-4558-a85e-a61683da80c2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Triaged", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.triaged", + "index": "bce8e7aa-afce-4558-a85e-a61683da80c2", + "key": "vectra_rux.detection_event.triaged", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.triaged": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.triaged", + "index": "logs-*", + "key": "vectra_rux.detection_event.triaged", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.triaged": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "8a824609-cd5d-4c01-af69-39da309ca7d0", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "8a824609-cd5d-4c01-af69-39da309ca7d0", + "title": "Triaged [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f4c664b9-1d09-43f8-80c0-ded461cc0a8c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Not Triaged", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.triaged", + "index": "f4c664b9-1d09-43f8-80c0-ded461cc0a8c", + "key": "vectra_rux.detection_event.triaged", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.triaged": false + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.detection_event.triaged", + "index": "logs-*", + "key": "vectra_rux.detection_event.triaged", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.detection_event.triaged": false + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "9b747dfe-3c96-4a47-92af-a22b3d6e83a5", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "9b747dfe-3c96-4a47-92af-a22b3d6e83a5", + "title": "Not Triaged [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### Vectra RUX\n\n[Audit](#/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8) \n**Detection Events** \n[Entity Events](#/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717) \n[Health](#/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d) \n[Lockdown](#/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05) \n\n#### Description\n\nThis dashboard offers a concise overview of detection events from Vectra RUX, enabling users to monitor and assess detection activity across hosts and accounts. It includes filters for entity type, detection type, and category, supported by visualizations such as pie charts, bar graphs, and key metrics to illustrate detection distribution, MITRE alignment, triage status, and event trends over time. Additionally, tables highlight the top threat and certainty events, while a detailed event view provides essential attributes for deeper analysis and investigation.\n\n\n**[Integration Page](/app/integrations/detail/vectra_rux/overview)**\n\n\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "Table of Contents", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 34, + "i": "d15db1e3-d034-4bb8-914c-00c306f575a3", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "d15db1e3-d034-4bb8-914c-00c306f575a3", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc": { + "columnOrder": [ + "b31c523a-74fc-4191-bcf4-a95cfeeb8eef", + "5c611b22-4bc3-4771-b431-3db59f6ac093", + "5a59f20e-5c57-48c8-b50d-a03e357bff2c" + ], + "columns": { + "5a59f20e-5c57-48c8-b50d-a03e357bff2c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5c611b22-4bc3-4771-b431-3db59f6ac093": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b31c523a-74fc-4191-bcf4-a95cfeeb8eef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5a59f20e-5c57-48c8-b50d-a03e357bff2c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.detection_event.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "5a59f20e-5c57-48c8-b50d-a03e357bff2c" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "b31c523a-74fc-4191-bcf4-a95cfeeb8eef", + "xAccessor": "5c611b22-4bc3-4771-b431-3db59f6ac093" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "fc31c573-be54-43fc-a8e8-761b6a89c41c", + "w": 40, + "x": 8, + "y": 7 + }, + "panelIndex": "fc31c573-be54-43fc-a8e8-761b6a89c41c", + "title": "Events Over Time [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2c755b6-d33e-4db7-aaec-6dbd9f6aacb2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f2c755b6-d33e-4db7-aaec-6dbd9f6aacb2": { + "columnOrder": [ + "78b3934d-ab7a-4a26-8f83-5d7972ba8dda", + "7fc4806b-3a06-4c4e-824e-b4f9e4c508d6" + ], + "columns": { + "78b3934d-ab7a-4a26-8f83-5d7972ba8dda": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Type", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7fc4806b-3a06-4c4e-824e-b4f9e4c508d6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.detection_event.detection.type" + }, + "7fc4806b-3a06-4c4e-824e-b4f9e4c508d6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7fc4806b-3a06-4c4e-824e-b4f9e4c508d6" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f2c755b6-d33e-4db7-aaec-6dbd9f6aacb2", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "78b3934d-ab7a-4a26-8f83-5d7972ba8dda" + } + ], + "legend": { + "isVisible": true, + "legendSize": "xlarge", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "38a6ea5c-9785-4d98-9bc5-d29d0ef5616d", + "w": 40, + "x": 8, + "y": 19 + }, + "panelIndex": "38a6ea5c-9785-4d98-9bc5-d29d0ef5616d", + "title": "Events by Detection Types [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "93de4b89-0422-4e45-9374-f356d1a7b7df": { + "columnOrder": [ + "9738d288-00b4-4265-b4a1-0d69d9332d40", + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "columns": { + "66795ecf-6c99-46a9-b26f-33ddbcc6e046": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9738d288-00b4-4265-b4a1-0d69d9332d40": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mitre", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "66795ecf-6c99-46a9-b26f-33ddbcc6e046", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.technique.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "93de4b89-0422-4e45-9374-f356d1a7b7df", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "9738d288-00b4-4265-b4a1-0d69d9332d40" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "30d46983-45f5-426d-82d5-953323ac918c", + "w": 23, + "x": 25, + "y": 34 + }, + "panelIndex": "30d46983-45f5-426d-82d5-953323ac918c", + "title": "Events by Mitre [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-06201800-eafb-4c53-8d86-16af82f584d9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "06201800-eafb-4c53-8d86-16af82f584d9": { + "columnOrder": [ + "26fa09b9-9406-4d85-9381-4e947d243a51", + "d7b4b9ed-1c34-4df4-83b4-db7eed0bbc71" + ], + "columns": { + "26fa09b9-9406-4d85-9381-4e947d243a51": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d7b4b9ed-1c34-4df4-83b4-db7eed0bbc71", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.tactic.name" + }, + "d7b4b9ed-1c34-4df4-83b4-db7eed0bbc71": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "06201800-eafb-4c53-8d86-16af82f584d9", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "d7b4b9ed-1c34-4df4-83b4-db7eed0bbc71" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "26fa09b9-9406-4d85-9381-4e947d243a51" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "b8629f92-6f9d-4113-9223-39bb0c1baf76", + "w": 25, + "x": 0, + "y": 34 + }, + "panelIndex": "b8629f92-6f9d-4113-9223-39bb0c1baf76", + "title": "Events by Category [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e31b9e13-4255-4427-b7db-7c1c3e12596e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e31b9e13-4255-4427-b7db-7c1c3e12596e": { + "columnOrder": [ + "2383c2ab-d02a-474f-b8dc-07221e3952c9", + "fbca3046-6066-48ab-9800-d2a596319cdb", + "73cafea4-657d-45db-84bb-1b88a514fcc3" + ], + "columns": { + "2383c2ab-d02a-474f-b8dc-07221e3952c9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Type", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fbca3046-6066-48ab-9800-d2a596319cdb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.detection_event.detection.type" + }, + "73cafea4-657d-45db-84bb-1b88a514fcc3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fbca3046-6066-48ab-9800-d2a596319cdb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.detection_event.threat\": *" + }, + "isBucketed": false, + "label": "Threat", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": null, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.detection_event.threat" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "2383c2ab-d02a-474f-b8dc-07221e3952c9", + "width": 343 + }, + { + "alignment": "center", + "columnId": "73cafea4-657d-45db-84bb-1b88a514fcc3", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "fbca3046-6066-48ab-9800-d2a596319cdb", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "e31b9e13-4255-4427-b7db-7c1c3e12596e", + "layerType": "data", + "sorting": { + "columnId": "73cafea4-657d-45db-84bb-1b88a514fcc3", + "direction": "desc" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "75ca8dd8-70f6-451c-9465-0105b9a121ef", + "w": 25, + "x": 0, + "y": 48 + }, + "panelIndex": "75ca8dd8-70f6-451c-9465-0105b9a121ef", + "title": "Top 10 Threat Events [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e31b9e13-4255-4427-b7db-7c1c3e12596e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e31b9e13-4255-4427-b7db-7c1c3e12596e": { + "columnOrder": [ + "2383c2ab-d02a-474f-b8dc-07221e3952c9", + "6580f43f-621b-4df4-ab3a-799d39dca542", + "73cafea4-657d-45db-84bb-1b88a514fcc3" + ], + "columns": { + "2383c2ab-d02a-474f-b8dc-07221e3952c9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Type", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6580f43f-621b-4df4-ab3a-799d39dca542", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.detection_event.detection.type" + }, + "6580f43f-621b-4df4-ab3a-799d39dca542": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"vectra_rux.detection_event.certainty\": *" + }, + "isBucketed": false, + "label": "Certainty", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "vectra_rux.detection_event.certainty" + }, + "73cafea4-657d-45db-84bb-1b88a514fcc3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "2383c2ab-d02a-474f-b8dc-07221e3952c9", + "width": 343 + }, + { + "alignment": "center", + "columnId": "73cafea4-657d-45db-84bb-1b88a514fcc3", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "6580f43f-621b-4df4-ab3a-799d39dca542", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "e31b9e13-4255-4427-b7db-7c1c3e12596e", + "layerType": "data", + "sorting": { + "columnId": "73cafea4-657d-45db-84bb-1b88a514fcc3", + "direction": "desc" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "19800ecf-9bd0-4671-a108-5acf4c013923", + "w": 23, + "x": 25, + "y": 48 + }, + "panelIndex": "19800ecf-9bd0-4671-a108-5acf4c013923", + "title": "Top 10 Certainty Events [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 17, + "i": "34fd4fcc-7a7e-48aa-8c5f-cbee48c085af", + "w": 48, + "x": 0, + "y": 64 + }, + "panelIndex": "34fd4fcc-7a7e-48aa-8c5f-cbee48c085af", + "panelRefName": "panel_34fd4fcc-7a7e-48aa-8c5f-cbee48c085af", + "title": "Detection Event Essential Details [Logs Vectra RUX]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Vectra RUX] Detection Events", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T08:03:51.196Z", + "id": "vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74", + "name": "34fd4fcc-7a7e-48aa-8c5f-cbee48c085af:panel_34fd4fcc-7a7e-48aa-8c5f-cbee48c085af", + "type": "search" + }, + { + "id": "logs-*", + "name": "98edab62-7f29-4a96-a2e7-27c32a1b0d98:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fef0d8a4-7260-4f86-8f7b-713a60e087a9:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fef0d8a4-7260-4f86-8f7b-713a60e087a9:dc20e940-a507-4a72-b2ae-ecaee2b5d971", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77ea5ea-d63b-4145-90e6-faa35d9a6fe9:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77ea5ea-d63b-4145-90e6-faa35d9a6fe9:6debe352-032a-4395-842c-b1f2b691767e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8a824609-cd5d-4c01-af69-39da309ca7d0:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8a824609-cd5d-4c01-af69-39da309ca7d0:bce8e7aa-afce-4558-a85e-a61683da80c2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9b747dfe-3c96-4a47-92af-a22b3d6e83a5:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9b747dfe-3c96-4a47-92af-a22b3d6e83a5:f4c664b9-1d09-43f8-80c0-ded461cc0a8c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fc31c573-be54-43fc-a8e8-761b6a89c41c:indexpattern-datasource-layer-13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38a6ea5c-9785-4d98-9bc5-d29d0ef5616d:indexpattern-datasource-layer-f2c755b6-d33e-4db7-aaec-6dbd9f6aacb2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30d46983-45f5-426d-82d5-953323ac918c:indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8629f92-6f9d-4113-9223-39bb0c1baf76:indexpattern-datasource-layer-06201800-eafb-4c53-8d86-16af82f584d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "75ca8dd8-70f6-451c-9465-0105b9a121ef:indexpattern-datasource-layer-e31b9e13-4255-4427-b7db-7c1c3e12596e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "19800ecf-9bd0-4671-a108-5acf4c013923:indexpattern-datasource-layer-e31b9e13-4255-4427-b7db-7c1c3e12596e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e5dd009c-25af-4690-bca6-d83860f482fc:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_06efe577-8146-4059-8597-6b0f4be0371e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_4562b53a-c40d-45d0-b47a-61373a8e3cd0:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717.json b/packages/vectra_rux/kibana/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717.json new file mode 100644 index 00000000000..895545bd74c --- /dev/null +++ b/packages/vectra_rux/kibana/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717.json @@ -0,0 +1,1578 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "7bbfcd1c-6be4-45e8-ad38-5a85e3848ed9": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vectra_rux.entity_event.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Entity Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "e2dac7e3-5c6b-4211-8fa7-574fa5cd12c8": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.severity", + "searchTechnique": "exact", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "ef76e218-d7c7-46dc-b2d5-361a0c3ae741": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vectra_rux.entity_event.category", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Category" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.entity_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.entity_event" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6e91253-5177-4fc2-86bf-6fb7d6b06627", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Account Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.type", + "index": "f6e91253-5177-4fc2-86bf-6fb7d6b06627", + "key": "vectra_rux.entity_event.type", + "negate": false, + "params": { + "query": "account" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.type": "account" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "Matrix Example", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.type", + "index": "logs-*", + "key": "vectra_rux.entity_event.type", + "negate": false, + "params": { + "query": "account" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.type": "account" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "ac0b1ef5-01a2-4221-bd46-2fb4d0623acd", + "w": 8, + "x": 16, + "y": 0 + }, + "panelIndex": "ac0b1ef5-01a2-4221-bd46-2fb4d0623acd", + "title": "Account Events [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Host Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.type", + "index": "logs-*", + "key": "vectra_rux.entity_event.type", + "negate": false, + "params": { + "query": "host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.type": "host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "Matrix Example", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.type", + "index": "logs-*", + "key": "vectra_rux.entity_event.type", + "negate": false, + "params": { + "query": "host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.type": "host" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "04ee68fe-e407-4f71-bfae-63ba605b0cea", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "04ee68fe-e407-4f71-bfae-63ba605b0cea", + "title": "Host Events [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Prioritized ", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.is_prioritized", + "index": "logs-*", + "key": "vectra_rux.entity_event.is_prioritized", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.is_prioritized": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "Matrix Example", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.is_prioritized", + "index": "logs-*", + "key": "vectra_rux.entity_event.is_prioritized", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.is_prioritized": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "4dec571a-8b0b-44a0-b1f5-000e1fe93dfc", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "4dec571a-8b0b-44a0-b1f5-000e1fe93dfc", + "title": "Prioritized [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a4c70f08-bd55-4cd5-9bc9-7edcd2856a3d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a4c70f08-bd55-4cd5-9bc9-7edcd2856a3d": { + "columnOrder": [ + "dac14a73-a63b-465d-8f9a-9b9f5817bddd", + "fa3cf056-f0ae-43ac-a799-eb6a13763620" + ], + "columns": { + "dac14a73-a63b-465d-8f9a-9b9f5817bddd": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Urgency Score ", + "operationType": "range", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "includeEmptyRows": false, + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "vectra_rux.entity_event.urgency.score" + }, + "fa3cf056-f0ae-43ac-a799-eb6a13763620": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "fa3cf056-f0ae-43ac-a799-eb6a13763620" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a4c70f08-bd55-4cd5-9bc9-7edcd2856a3d", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "dac14a73-a63b-465d-8f9a-9b9f5817bddd" + } + ], + "legend": { + "isVisible": true, + "legendSize": "small", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "b7ec0b5c-ba97-4515-a002-f4bc48e62be9", + "w": 23, + "x": 8, + "y": 22 + }, + "panelIndex": "b7ec0b5c-ba97-4515-a002-f4bc48e62be9", + "title": "Events by Urgency Score [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc": { + "columnOrder": [ + "132b4e83-92f9-4e3f-b70b-70d54a87dbf7", + "5c611b22-4bc3-4771-b431-3db59f6ac093", + "5a59f20e-5c57-48c8-b50d-a03e357bff2c" + ], + "columns": { + "132b4e83-92f9-4e3f-b70b-70d54a87dbf7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entity Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": null, + "orderBy": { + "columnId": "5a59f20e-5c57-48c8-b50d-a03e357bff2c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": null, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.entity_event.type" + }, + "5a59f20e-5c57-48c8-b50d-a03e357bff2c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5c611b22-4bc3-4771-b431-3db59f6ac093": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "5a59f20e-5c57-48c8-b50d-a03e357bff2c" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "132b4e83-92f9-4e3f-b70b-70d54a87dbf7", + "xAccessor": "5c611b22-4bc3-4771-b431-3db59f6ac093" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "80519e43-aeca-4240-a958-ab9a1ba5075b", + "w": 23, + "x": 8, + "y": 7 + }, + "panelIndex": "80519e43-aeca-4240-a958-ab9a1ba5075b", + "title": "Events Over Time [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "93de4b89-0422-4e45-9374-f356d1a7b7df": { + "columnOrder": [ + "488f2e1b-63af-4a8c-b38b-faed0a83640f", + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "columns": { + "488f2e1b-63af-4a8c-b38b-faed0a83640f": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "66795ecf-6c99-46a9-b26f-33ddbcc6e046", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "66795ecf-6c99-46a9-b26f-33ddbcc6e046": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "93de4b89-0422-4e45-9374-f356d1a7b7df", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "488f2e1b-63af-4a8c-b38b-faed0a83640f" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "palette": null, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "79dbc944-76e4-4a62-8591-04ac475e6feb", + "w": 17, + "x": 31, + "y": 7 + }, + "panelIndex": "79dbc944-76e4-4a62-8591-04ac475e6feb", + "title": "Events by Severity [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "93de4b89-0422-4e45-9374-f356d1a7b7df": { + "columnOrder": [ + "566a5602-6612-4789-896d-8a7148d5c84e", + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "columns": { + "566a5602-6612-4789-896d-8a7148d5c84e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "66795ecf-6c99-46a9-b26f-33ddbcc6e046", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.entity_event.category" + }, + "66795ecf-6c99-46a9-b26f-33ddbcc6e046": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "93de4b89-0422-4e45-9374-f356d1a7b7df", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "66795ecf-6c99-46a9-b26f-33ddbcc6e046" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "566a5602-6612-4789-896d-8a7148d5c84e" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "palette": null, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "0b57597e-595b-48aa-b211-9919ffc74f0c", + "w": 17, + "x": 31, + "y": 22 + }, + "panelIndex": "0b57597e-595b-48aa-b211-9919ffc74f0c", + "title": "Events by Category [Logs Vectra RUX] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1f0d072-87e7-429e-a0d0-a5e1249d080e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Not Prioritized Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.is_prioritized", + "index": "c1f0d072-87e7-429e-a0d0-a5e1249d080e", + "key": "vectra_rux.entity_event.is_prioritized", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.is_prioritized": false + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "Matrix Example", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vectra_rux.entity_event.is_prioritized", + "index": "logs-*", + "key": "vectra_rux.entity_event.is_prioritized", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vectra_rux.entity_event.is_prioritized": false + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "dbb91055-ef85-478c-a436-679d31144090", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "dbb91055-ef85-478c-a436-679d31144090", + "title": "Not Prioritized [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### Vectra RUX\n\n[Audit](#/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8) \n[Detection Events](#/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb) \n**Entity Events** \n[Health](#/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d) \n[Lockdown](#/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05) \n\n#### Description\n\nThis dashboard offers a concise overview of entity events from Vectra RUX, enabling teams to monitor and analyze activities across hosts and accounts. It incorporates filters for entity type, event category, and severity, complemented by visualizations such as pie charts, bar charts, and key metrics to illustrate event distribution, urgency, and prioritization. Additionally, a detailed table provides granular event-level insights, supporting effective investigation and response.\n\n\n**[Integration Page](/app/integrations/detail/vectra_rux/overview)**\n", + "openLinksInNewTab": false + }, + "title": "Table of Contents", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 37, + "i": "7630ecbc-e7ff-4586-ab97-b2835ba62908", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "7630ecbc-e7ff-4586-ab97-b2835ba62908", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9": { + "columnOrder": [ + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + ], + "columns": { + "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Entity Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "layerType": "data", + "metricAccessor": "8f6dbc44-7f0a-4025-8ac6-abc8ec113d86" + } + }, + "title": "Matrix Example", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "03461548-368b-4661-a82e-23d52bf6f85a", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "03461548-368b-4661-a82e-23d52bf6f85a", + "title": "Total Entity Events [Logs Vectra RUX] (copy)", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 18, + "i": "93d979e2-4e67-41f0-ba96-1352619eb893", + "w": 48, + "x": 0, + "y": 37 + }, + "panelIndex": "93d979e2-4e67-41f0-ba96-1352619eb893", + "panelRefName": "panel_93d979e2-4e67-41f0-ba96-1352619eb893", + "title": "Entity Event Essential Details [Logs Vectra RUX]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Vectra RUX] Entity Events", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T10:04:59.401Z", + "id": "vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256", + "name": "93d979e2-4e67-41f0-ba96-1352619eb893:panel_93d979e2-4e67-41f0-ba96-1352619eb893", + "type": "search" + }, + { + "id": "logs-*", + "name": "ac0b1ef5-01a2-4221-bd46-2fb4d0623acd:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac0b1ef5-01a2-4221-bd46-2fb4d0623acd:f6e91253-5177-4fc2-86bf-6fb7d6b06627", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "04ee68fe-e407-4f71-bfae-63ba605b0cea:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4dec571a-8b0b-44a0-b1f5-000e1fe93dfc:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7ec0b5c-ba97-4515-a002-f4bc48e62be9:indexpattern-datasource-layer-a4c70f08-bd55-4cd5-9bc9-7edcd2856a3d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80519e43-aeca-4240-a958-ab9a1ba5075b:indexpattern-datasource-layer-13c6156f-5bdc-47d9-9cf8-c6ea56a1a5cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "79dbc944-76e4-4a62-8591-04ac475e6feb:indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0b57597e-595b-48aa-b211-9919ffc74f0c:indexpattern-datasource-layer-93de4b89-0422-4e45-9374-f356d1a7b7df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dbb91055-ef85-478c-a436-679d31144090:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dbb91055-ef85-478c-a436-679d31144090:c1f0d072-87e7-429e-a0d0-a5e1249d080e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "03461548-368b-4661-a82e-23d52bf6f85a:indexpattern-datasource-layer-5c5fea0c-cd7d-48c5-92a6-ee60afef69e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7bbfcd1c-6be4-45e8-ad38-5a85e3848ed9:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ef76e218-d7c7-46dc-b2d5-361a0c3ae741:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e2dac7e3-5c6b-4211-8fa7-574fa5cd12c8:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8.json b/packages/vectra_rux/kibana/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8.json new file mode 100644 index 00000000000..605d3e823b3 --- /dev/null +++ b/packages/vectra_rux/kibana/dashboard/vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8.json @@ -0,0 +1,1316 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "00957340-b2f6-4c03-a34c-8eb581376fd9": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "user.roles", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "User Role" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "8dabc663-c890-4fb0-b172-91c0859c1df0": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vectra_rux.audit.user.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "User Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.audit" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fd45bbf1-3441-48f2-abdd-2c6f0f714c81", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fd45bbf1-3441-48f2-abdd-2c6f0f714c81": { + "columnOrder": [ + "6123da31-5e7e-4f2d-bfa2-3947b9be1b63", + "ca53b240-b381-487c-86e0-019d6af51b4d" + ], + "columns": { + "6123da31-5e7e-4f2d-bfa2-3947b9be1b63": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of vectra_rux.audit.user.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ca53b240-b381-487c-86e0-019d6af51b4d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vectra_rux.audit.user.type" + }, + "ca53b240-b381-487c-86e0-019d6af51b4d": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "fd45bbf1-3441-48f2-abdd-2c6f0f714c81", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "ca53b240-b381-487c-86e0-019d6af51b4d" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6123da31-5e7e-4f2d-bfa2-3947b9be1b63" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "00168d5a-ff6f-4800-adb0-4a8228d18f45", + "w": 20, + "x": 28, + "y": 15 + }, + "panelIndex": "00168d5a-ff6f-4800-adb0-4a8228d18f45", + "title": "Audit by User Type [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1a96965b-6398-4daf-a0b9-17ac28d17bd0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1a96965b-6398-4daf-a0b9-17ac28d17bd0": { + "columnOrder": [ + "80a715df-da29-439d-aa22-cbdf6722eacb", + "1c5af4e5-e4c1-47f8-9c50-f5f75b5a5711" + ], + "columns": { + "1c5af4e5-e4c1-47f8-9c50-f5f75b5a5711": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "80a715df-da29-439d-aa22-cbdf6722eacb": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of user.roles", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1c5af4e5-e4c1-47f8-9c50-f5f75b5a5711", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.roles" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1a96965b-6398-4daf-a0b9-17ac28d17bd0", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1c5af4e5-e4c1-47f8-9c50-f5f75b5a5711" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "80a715df-da29-439d-aa22-cbdf6722eacb" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "b7da360e-3374-4920-9f61-43047c9835bd", + "w": 21, + "x": 7, + "y": 15 + }, + "panelIndex": "b7da360e-3374-4920-9f61-43047c9835bd", + "title": "Audit by User Role [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### Vectra RUX\n\n**Audit** \n[Detection Events](#/dashboard/vectra_rux-6ddf7197-c2e5-4472-a814-05bfe2caa3eb) \n[Entity Events](#/dashboard/vectra_rux-9a7d587d-e61a-40dc-886b-25aa6da16717) \n[Health](#/dashboard/vectra_rux-36228434-8783-49ab-ac0d-82cc651c0e7d) \n[Lockdown](#/dashboard/vectra_rux-55983c57-df67-41ea-8292-08c3c0357d05) \n\n#### Description\n\nThis dashboard is designed to provide comprehensive visibility into audit activities within the Vectra RUX platform using the Audit data stream.\n\nIt provides an overview of audit activity over time and highlights the top 10 users based on audit events. The dashboard also breaks down audits by user role and user type, and presents metrics for success and failure statuses to aid in monitoring user behavior and identifying potential issues.\n\n**[Integration Page](/app/integrations/detail/vectra_rux/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 45, + "i": "48d3f325-0ae1-46e9-8fac-f45fe16664b7", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "48d3f325-0ae1-46e9-8fac-f45fe16664b7", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7be582e8-b72d-41b4-a016-260369ebca3c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "7be582e8-b72d-41b4-a016-260369ebca3c": { + "columnOrder": [ + "bdb26b85-c3f7-4316-ab26-acb211124baa", + "89efe986-8c69-4c84-ab0e-dfbd5850ef8e" + ], + "columns": { + "89efe986-8c69-4c84-ab0e-dfbd5850ef8e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bdb26b85-c3f7-4316-ab26-acb211124baa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "89efe986-8c69-4c84-ab0e-dfbd5850ef8e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "bdb26b85-c3f7-4316-ab26-acb211124baa", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "89efe986-8c69-4c84-ab0e-dfbd5850ef8e", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "7be582e8-b72d-41b4-a016-260369ebca3c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "5b4af6e9-2885-4d16-b0a0-11feb9c303f1", + "w": 21, + "x": 7, + "y": 30 + }, + "panelIndex": "5b4af6e9-2885-4d16-b0a0-11feb9c303f1", + "title": "Top 10 Audit User [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8dee74b4-7c7a-42dd-a9ef-0f9ca69c76e3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8dee74b4-7c7a-42dd-a9ef-0f9ca69c76e3": { + "columnOrder": [ + "f6e54c69-adda-4833-ab0e-2c289b57997f", + "99506e16-3731-44c2-a579-f571400f82c8" + ], + "columns": { + "99506e16-3731-44c2-a579-f571400f82c8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f6e54c69-adda-4833-ab0e-2c289b57997f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "99506e16-3731-44c2-a579-f571400f82c8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "f6e54c69-adda-4833-ab0e-2c289b57997f", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "99506e16-3731-44c2-a579-f571400f82c8", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "8dee74b4-7c7a-42dd-a9ef-0f9ca69c76e3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "1a4f1689-e183-4d45-86fd-0886214823cf", + "w": 20, + "x": 28, + "y": 30 + }, + "panelIndex": "1a4f1689-e183-4d45-86fd-0886214823cf", + "title": "Top 10 Audit Action [Logs Vectra RUX]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 19, + "i": "3dfe93bb-441f-4853-8c93-c86a48cf1317", + "w": 48, + "x": 0, + "y": 46 + }, + "panelIndex": "3dfe93bb-441f-4853-8c93-c86a48cf1317", + "panelRefName": "panel_3dfe93bb-441f-4853-8c93-c86a48cf1317", + "title": "Audit details [Logs Vectra RUX]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8d4ac931-aa9c-4304-a240-664e05721fe2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8d4ac931-aa9c-4304-a240-664e05721fe2": { + "columnOrder": [ + "ad43b74d-6962-469b-9c68-40dc852fa5a4" + ], + "columns": { + "ad43b74d-6962-469b-9c68-40dc852fa5a4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Audit Events", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.outcome" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "8d4ac931-aa9c-4304-a240-664e05721fe2", + "layerType": "data", + "metricAccessor": "ad43b74d-6962-469b-9c68-40dc852fa5a4" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "41e0fbc0-3f53-453c-b551-8f320a6c33c2", + "w": 10, + "x": 7, + "y": 0 + }, + "panelIndex": "41e0fbc0-3f53-453c-b551-8f320a6c33c2", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7e92cdc-edf9-4832-9e16-96b2089d5899", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5b8ac4d6-c50e-40f9-9f9d-833ce763cca5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7e92cdc-edf9-4832-9e16-96b2089d5899": { + "columnOrder": [ + "d56798a6-d5fb-4e38-85a7-7174b68760c8" + ], + "columns": { + "d56798a6-d5fb-4e38-85a7-7174b68760c8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Audit Success", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.outcome" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "5b8ac4d6-c50e-40f9-9f9d-833ce763cca5", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#54B399", + "layerId": "f7e92cdc-edf9-4832-9e16-96b2089d5899", + "layerType": "data", + "metricAccessor": "d56798a6-d5fb-4e38-85a7-7174b68760c8", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "0d95f0aa-fe8f-49dc-b57d-755350637459", + "w": 10, + "x": 7, + "y": 5 + }, + "panelIndex": "0d95f0aa-fe8f-49dc-b57d-755350637459", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c3965904-c75a-4efb-9bb5-93286dda5ca9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c3965904-c75a-4efb-9bb5-93286dda5ca9": { + "columnOrder": [ + "2688d9a9-b16b-4f1c-8fce-c3ed43f536c4" + ], + "columns": { + "2688d9a9-b16b-4f1c-8fce-c3ed43f536c4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Audit Failure", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.outcome" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#CC5642", + "layerId": "c3965904-c75a-4efb-9bb5-93286dda5ca9", + "layerType": "data", + "metricAccessor": "2688d9a9-b16b-4f1c-8fce-c3ed43f536c4" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 5, + "i": "4a7d9325-cf4d-4a07-9136-5acf9e2302a8", + "w": 10, + "x": 7, + "y": 10 + }, + "panelIndex": "4a7d9325-cf4d-4a07-9136-5acf9e2302a8", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-27f645bc-451d-4d33-b3a5-912bd8b81617", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "27f645bc-451d-4d33-b3a5-912bd8b81617": { + "columnOrder": [ + "27abd00e-fcc8-4f10-a870-c0963bad71f9", + "48ff8f8d-dbff-4370-b5bf-9cd07610b31a" + ], + "columns": { + "27abd00e-fcc8-4f10-a870-c0963bad71f9": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "48ff8f8d-dbff-4370-b5bf-9cd07610b31a": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "48ff8f8d-dbff-4370-b5bf-9cd07610b31a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "27f645bc-451d-4d33-b3a5-912bd8b81617", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "27abd00e-fcc8-4f10-a870-c0963bad71f9" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Count" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "246ce9bc-4f9e-43be-9273-b6b04119bd00", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "246ce9bc-4f9e-43be-9273-b6b04119bd00", + "title": "Audit Events Over Time [Logs Vectra RUX]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Vectra RUX] Audit", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T08:03:51.086Z", + "id": "vectra_rux-ccfcc72d-78f4-4337-b542-de333bef5cf8", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f", + "name": "3dfe93bb-441f-4853-8c93-c86a48cf1317:panel_3dfe93bb-441f-4853-8c93-c86a48cf1317", + "type": "search" + }, + { + "id": "logs-*", + "name": "00168d5a-ff6f-4800-adb0-4a8228d18f45:indexpattern-datasource-layer-fd45bbf1-3441-48f2-abdd-2c6f0f714c81", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7da360e-3374-4920-9f61-43047c9835bd:indexpattern-datasource-layer-1a96965b-6398-4daf-a0b9-17ac28d17bd0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5b4af6e9-2885-4d16-b0a0-11feb9c303f1:indexpattern-datasource-layer-7be582e8-b72d-41b4-a016-260369ebca3c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a4f1689-e183-4d45-86fd-0886214823cf:indexpattern-datasource-layer-8dee74b4-7c7a-42dd-a9ef-0f9ca69c76e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "41e0fbc0-3f53-453c-b551-8f320a6c33c2:indexpattern-datasource-layer-8d4ac931-aa9c-4304-a240-664e05721fe2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d95f0aa-fe8f-49dc-b57d-755350637459:indexpattern-datasource-layer-f7e92cdc-edf9-4832-9e16-96b2089d5899", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d95f0aa-fe8f-49dc-b57d-755350637459:5b8ac4d6-c50e-40f9-9f9d-833ce763cca5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a7d9325-cf4d-4a07-9136-5acf9e2302a8:indexpattern-datasource-layer-c3965904-c75a-4efb-9bb5-93286dda5ca9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "246ce9bc-4f9e-43be-9273-b6b04119bd00:indexpattern-datasource-layer-27f645bc-451d-4d33-b3a5-912bd8b81617", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_8dabc663-c890-4fb0-b172-91c0859c1df0:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_00957340-b2f6-4c03-a34c-8eb581376fd9:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/search/vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5.json b/packages/vectra_rux/kibana/search/vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5.json new file mode 100644 index 00000000000..9cd485a10d5 --- /dev/null +++ b/packages/vectra_rux/kibana/search/vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "columns": [ + "vectra_rux.health.sensors.id", + "observer.name", + "observer.ip", + "vectra_rux.health.connectivity.sensors.status", + "observer.version", + "vectra_rux.health.connectivity.sensors.error", + "vectra_rux.health.trafficdrop.sensors.status", + "vectra_rux.health.trafficdrop.sensors.error" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"vectra_rux.health\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Sensors Essential Details [Logs Vectra RUX]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T09:23:13.920Z", + "id": "vectra_rux-3160e56b-1190-4e05-be6d-5beb3b5bf8a5", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/search/vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f.json b/packages/vectra_rux/kibana/search/vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f.json new file mode 100644 index 00000000000..dc966f4e722 --- /dev/null +++ b/packages/vectra_rux/kibana/search/vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "columns": [ + "user.id", + "user.name", + "user.roles", + "event.outcome", + "message" + ], + "description": "", + "grid": { + "columns": {} + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "fields": [ + { + "field": "*", + "include_unmapped": true + } + ], + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"vectra_rux.audit\" " + }, + "sort": [ + { + "@timestamp": { + "format": "strict_date_optional_time", + "order": "desc" + } + }, + { + "_doc": "desc" + } + ] + } + }, + "rowsPerPage": 10, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Audit details [Logs Vectra RUX]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T07:16:57.836Z", + "id": "vectra_rux-648e1825-c198-4bf0-ba1d-ee1c11ebd84f", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/search/vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67.json b/packages/vectra_rux/kibana/search/vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67.json new file mode 100644 index 00000000000..8a151a2bdfb --- /dev/null +++ b/packages/vectra_rux/kibana/search/vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "columns": [ + "vectra_rux.lockdown.entity_name", + "vectra_rux.lockdown.type", + "user.name", + "event.start", + "event.end" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.lockdown" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.lockdown" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Lockdown Essential Details [Logs Vectra RUX]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T09:58:10.644Z", + "id": "vectra_rux-7180cae3-1a55-4e7a-a010-e7987dbdbd67", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/search/vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74.json b/packages/vectra_rux/kibana/search/vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74.json new file mode 100644 index 00000000000..7ba6aa13eac --- /dev/null +++ b/packages/vectra_rux/kibana/search/vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "columns": [ + "user.id", + "host.id", + "event.id", + "vectra_rux.detection_event.type", + "threat.tactic.name", + "vectra_rux.detection_event.detection.type", + "user.risk.calculated_score", + "host.risk.calculated_score", + "vectra_rux.detection_event.triaged", + "event.severity", + "vectra_rux.detection_event.certainty" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.detection_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.detection_event" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Detection Event Essential Details [Logs Vectra RUX]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-22T07:16:57.836Z", + "id": "vectra_rux-7ba8318c-2c41-4c43-af81-c35d599b6c74", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/vectra_rux/kibana/search/vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256.json b/packages/vectra_rux/kibana/search/vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256.json new file mode 100644 index 00000000000..052f0bf732f --- /dev/null +++ b/packages/vectra_rux/kibana/search/vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "columns": [ + "event.id", + "user.id", + "host.id", + "user.email", + "host.name", + "vectra_rux.entity_event.type", + "vectra_rux.entity_event.is_prioritized", + "event.severity", + "vectra_rux.entity_event.urgency.score", + "vectra_rux.entity_event.attack_rating", + "vectra_rux.entity_event.category", + "vectra_rux.entity_event.importance", + "vectra_rux.entity_event.last_detection.id", + "vectra_rux.entity_event.last_detection.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "vectra_rux.entity_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "vectra_rux.entity_event" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Entity Event Essential Details [Logs Vectra RUX]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T09:58:10.644Z", + "id": "vectra_rux-fad8d0ee-bc58-43cd-a949-b0f0cf975256", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/vectra_rux/manifest.yml b/packages/vectra_rux/manifest.yml new file mode 100644 index 00000000000..e0a6e02212f --- /dev/null +++ b/packages/vectra_rux/manifest.yml @@ -0,0 +1,116 @@ +format_version: 3.3.2 +name: vectra_rux +title: "Vectra RUX" +version: 0.1.0 +description: "Collect logs from Vectra RUX with Elastic Agent." +type: integration +categories: + - security + - edr_xdr +conditions: + kibana: + version: "^8.18.0 || ^9.0.0" + elastic: + subscription: "basic" +screenshots: + - src: /img/audit-dashboard.png + title: Audit Dashboard + size: 600x600 + type: image/png + - src: /img/detection-event-dashboard.png + title: Detection Event Dashboard + size: 600x600 + type: image/png + - src: /img/entity-event-dashboard.png + title: Entity Event Dashboard + size: 600x600 + type: image/png + - src: /img/health-dashboard.png + title: Health Dashboard + size: 600x600 + type: image/png + - src: /img/lockdown-dashboard.png + title: Lockdown Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/vectra_rux-logo.svg + title: Vectra RUX logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: vectra_rux + title: Vectra RUX + description: Collect logs from Vectra RUX. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + inputs: + - type: cel + title: Collect Vectra RUX logs via API + description: Collecting Vectra RUX logs via API. + vars: + - name: url + type: text + title: URL + description: Base URL of the Vectra RUX API. + required: true + show_user: true + - name: client_id + type: text + title: Client ID + description: Client ID of the Vectra RUX API. + required: true + show_user: true + secret: true + - name: client_secret + type: password + title: Client Secret + description: Client Secret of the Vectra RUX API. + required: true + show_user: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/vectra_rux/validation.yml b/packages/vectra_rux/validation.yml new file mode 100644 index 00000000000..0d5da503363 --- /dev/null +++ b/packages/vectra_rux/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards. + - SVR00005 # Kibana version for saved tags.