diff --git a/packages/beaconing/changelog.yml b/packages/beaconing/changelog.yml index 2264a7d1711..b8b89aa2a63 100644 --- a/packages/beaconing/changelog.yml +++ b/packages/beaconing/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.5.4" + changes: + - description: Readme improvement + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "1.5.3" changes: - description: Update documentation for blogs diff --git a/packages/beaconing/docs/README.md b/packages/beaconing/docs/README.md index fac74c2f0bb..27d7a17ba81 100644 --- a/packages/beaconing/docs/README.md +++ b/packages/beaconing/docs/README.md @@ -32,9 +32,9 @@ The following blog provides additional context. For the most current installatio To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | Supported Platforms | -|---------------------------|----------------------------------------------|--------------|-------------------------|------------------|-----------------------| -| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|---------------------------|----------------------------------------------|--------------|------------------------|------------------|-----------------------|----------------| +| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows | network | When querying the destination index to enquire about beaconing activities, we advise using the alias for the destination index (`ml_beaconing.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml index 8e45bffa588..c381ef0f566 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml @@ -1,6 +1,6 @@ dest: - index: ml_beaconing-1.5.3 - pipeline: 1.5.3-ml_beaconing_ingest_pipeline + index: ml_beaconing-1.5.4 + pipeline: 1.5.4-ml_beaconing_ingest_pipeline aliases: - alias: ml_beaconing.latest move_on_creation: true @@ -394,5 +394,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 1.5.3 + fleet_transform_version: 1.5.4 run_as_kibana_system: false diff --git a/packages/beaconing/manifest.yml b/packages/beaconing/manifest.yml index 6666e4bff5b..cc792732bc6 100644 --- a/packages/beaconing/manifest.yml +++ b/packages/beaconing/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: beaconing title: "Network Beaconing Identification" -version: 1.5.3 +version: 1.5.4 source: license: "Elastic-2.0" description: "Package to identify beaconing activity in your network events." diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index b2fafdd0d35..d6d5e02cea4 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,3 +1,8 @@ +- version: "3.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.2" changes: - description: Update documentation for blogs/data views diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 4a79d69ea29..f3719259f72 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -10,15 +10,15 @@ The following blog provides additional context. For the most current installatio - [Detect data exfiltration activity with Kibana’s new integration](https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration) ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Data Exfiltration Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Data Exfiltration Detection assets**. -1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. -1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded_ea-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform_ea-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. +1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded_ea.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending on which one(s) you have), `ml_network_ded_ea.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded_ea.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. @@ -31,7 +31,10 @@ The following blog provides additional context. For the most current installatio _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. ![Dashboard Error](../img/dashboard-ded-error.png) -1. **Enable detection rules**: You can also enable detection rules to alert on Data Exfiltration activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Data Exfiltration Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + +### Enable detection rules + +You can also enable detection rules to alert on Data Exfiltration activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Data Exfiltration Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. ![Data Exfiltration Detection Rules](../img/dedrules.png) *In Security > Rules, filtering with the “Use Case: Data Exfiltration Detection” tag* @@ -40,20 +43,20 @@ The following blog provides additional context. For the most current installatio To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | -| ------------------- | ------------------------------------------- | ------------ | ------------------------ | ------------------ | -| ded.pivot_transform | Collects network logs from your environment | logs-* | ml_network_ded-[version] | ml_network_ded.all | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|------------------------|---------------------------------------------|--------------|-----------------------------|-----------------------|--------------------|----------------| +| ded.pivot_transform_ea | Collects network logs from your environment | logs-* | ml_network_ded_ea-[version] | ml_network_ded_ea.all | Linux, Windows | network | **Note**: The transform applies only to network data and does not currently support macOS network logs. -When querying the destination index (`ml_network_ded-`) for network logs, we advise using the alias for the destination index (`ml_network_ded.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination index (`ml_network_ded_ea-`) for network logs, we advise using the alias for the destination index (`ml_network_ded_ea.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Data Exfiltration Detection Transform To customize filters in the Data Exfiltration Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `source.ip`, `destination.ip`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Data Exfiltration Detection transform](../img/ded_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Data Exfiltration Detection transform](../img/ded_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -69,15 +72,15 @@ After the data view for the dashboard is configured, the **Data Exfiltration Det ### Anomaly Detection Jobs -| Job | Description | Supported Platform | Event Category | -| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------ | ----- | -| ded_high_sent_bytes_destination_geo_country_iso_code | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | -| ded_high_sent_bytes_destination_ip | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | -| ded_high_sent_bytes_destination_port | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | -| ded_high_sent_bytes_destination_region_name | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | -| ded_high_bytes_written_to_external_device | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | -| ded_rare_process_writing_to_external_device | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | -| ded_high_bytes_written_to_external_device_airdrop | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | +| Job | Description | Supported Platform | Event Category | +|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------|----------------| +| ded_high_sent_bytes_destination_geo_country_iso_code_ea | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | +| ded_high_sent_bytes_destination_ip_ea | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | +| ded_high_sent_bytes_destination_port_ea | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | +| ded_high_sent_bytes_destination_region_name_ea | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | +| ded_high_bytes_written_to_external_device_ea | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | +| ded_rare_process_writing_to_external_device_ea | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | +| ded_high_bytes_written_to_external_device_airdrop_ea | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | ## Customize ML jobs for Data Exfiltration Detection @@ -96,6 +99,41 @@ To customize the datafeed query and other settings such as model memory limit, f ![Data Exfiltration Detection jobs](../img/ded_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. + +The new Entity Analytics ML job IDs are: +- `ded_high_sent_bytes_destination_geo_country_iso_code_ea` +- `ded_high_sent_bytes_destination_ip_ea` +- `ded_high_sent_bytes_destination_port_ea` +- `ded_high_sent_bytes_destination_region_name_ea` +- `ded_high_bytes_written_to_external_device_ea` +- `ded_rare_process_writing_to_external_device_ea` +- `ded_high_bytes_written_to_external_device_airdrop_ea` + +The new Entity Analytics transforms are: +- `ded.pivot_transform_ea` → destination index: `ml_network_ded_ea-3.0.0`, alias: `ml_network_ded_ea.latest`, `ml_network_ded_ea.all` + +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `ded_high_sent_bytes_destination_geo_country_iso_code` + - `ded_high_sent_bytes_destination_ip` + - `ded_high_sent_bytes_destination_port` + - `ded_high_sent_bytes_destination_region_name` + - `ded_high_bytes_written_to_external_device` + - `ded_rare_process_writing_to_external_device` + - `ded_high_bytes_written_to_external_device_airdrop` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `ded.pivot_transform` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Data Exfiltration Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml similarity index 81% rename from packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index 7a22b3eef3a..50e5414aef9 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,7 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name +- external: ecs + name: user.id +- external: ecs + name: event.module - external: ecs name: event.category - external: ecs @@ -27,4 +33,4 @@ - external: ecs name: destination.geo.region_name - external: ecs - name: destination.geo.city_name + name: destination.geo.city_name \ No newline at end of file diff --git a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml similarity index 88% rename from packages/ded/elasticsearch/transform/pivot_transform/transform.yml rename to packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml index 83c8aa4b1ea..319d8504b44 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -1,12 +1,12 @@ dest: - index: ml_network_ded-2.4.2 + index: ml_network_ded_ea-3.0.0 aliases: - - alias: ml_network_ded.latest + - alias: ml_network_ded_ea.latest move_on_creation: true - - alias: ml_network_ded.all + - alias: ml_network_ded_ea.all move_on_creation: false - pipeline: 2.4.2-ml_ded_ingest_pipeline + pipeline: 3.0.0-ml_ded_ingest_pipeline description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime. frequency: 30m pivot: @@ -21,9 +21,18 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'user.name': terms: field: user.name + user.id: + terms: + field: user.id + event.module: + terms: + field: event.module 'network.direction': terms: field: network.direction @@ -94,5 +103,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 2.4.2 + fleet_transform_version: 3.0.0 run_as_kibana_system: false diff --git a/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json b/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json new file mode 100644 index 00000000000..7cbe381ad3c --- /dev/null +++ b/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "This dashboard provides an overview of anomalies found for Data Exfiltration Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"ded_high_sent_bytes_destination_geo_country_iso_code_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_airdrop_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_ea\\\" or job_id: \\\"ded_rare_process_writing_to_external_device_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_ip_ea\\\" or job_id : \\\"ded_high_sent_bytes_destination_port_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_region_name_ea\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":16,\"h\":8,\"i\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\"},\"panelIndex\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"7236397d-5baf-4a72-b0ca-eb888f30103b\",\"accessor\":\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7236397d-5baf-4a72-b0ca-eb888f30103b\":{\"columns\":{\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":23,\"h\":15,\"i\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\"},\"panelIndex\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b04943cf-244d-4202-a241-5016f157fcf3\",\"isTransposed\":false},{\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\",\"isTransposed\":false}],\"layerId\":\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\":{\"columns\":{\"b04943cf-244d-4202-a241-5016f157fcf3\":{\"label\":\"host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"632aca7c-068e-42ca-ad9b-0533ab38d466\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b04943cf-244d-4202-a241-5016f157fcf3\",\"632aca7c-068e-42ca-ad9b-0533ab38d466\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Hosts Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":15,\"i\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\"},\"panelIndex\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"daaccc7d-bf90-4a63-848e-6181389ee601\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"baa67605-1ebc-418d-bd21-8254b22c0faf\"},{\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daaccc7d-bf90-4a63-848e-6181389ee601\":{\"columns\":{\"baa67605-1ebc-418d-bd21-8254b22c0faf\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"baa67605-1ebc-418d-bd21-8254b22c0faf\",\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Processes Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":23,\"h\":15,\"i\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\"},\"panelIndex\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"f3be7369-746c-4e7e-b75d-c431d55783ec\"},{\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d052422b-7069-4cc7-938c-a7802f3eb8cb\":{\"columns\":{\"f3be7369-746c-4e7e-b75d-c431d55783ec\":{\"label\":\"host.name > user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"524a43f5-836a-4bca-9631-de7fa1e4335d\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f3be7369-746c-4e7e-b75d-c431d55783ec\",\"524a43f5-836a-4bca-9631-de7fa1e4335d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 User-Host Combinations Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":23,\"w\":25,\"h\":15,\"i\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\"},\"panelIndex\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsChoropleth\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f97661af-4480-48ea-85a1-33c65e062d97\",\"layerType\":\"data\",\"regionAccessor\":\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"valueAccessor\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f97661af-4480-48ea-85a1-33c65e062d97\":{\"columns\":{\"6fac8510-1db9-4b36-bb2a-737f6782ef33\":{\"label\":\" destination.geo.country_iso_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_iso_code\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Geo Locations Associated with Data Exfiltration Activity by ISO Code\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":13,\"i\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\"},\"panelIndex\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"isTransposed\":false},{\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\",\"isTransposed\":false}],\"layerId\":\"11e91ade-6c94-46e8-96e7-592f5e522898\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11e91ade-6c94-46e8-96e7-592f5e522898\":{\"columns\":{\"fa763272-957c-4ed5-a494-8ee580023bcc\":{\"label\":\"File name > File path > External device type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file.path\",\"file.Ext.device.bus_type\"]},\"customLabel\":true},\"429585bf-154f-49ec-97cd-009752a01a59\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"429585bf-154f-49ec-97cd-009752a01a59\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 File names, File paths and External device type Combinations Associated with Data Exfiltration Activity\"}]", + "timeRestore": false, + "title": "Data Exfiltration Detection Dashboard (Entity Analytics)", + "version": 2 + }, + "coreMigrationVersion": "8.5.1", + "id": "ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6", + "migrationVersion": { + "dashboard": "8.5.0" + }, + "references": [ + { + "id": ".ml-anomalies-shared", + "name": "109fb1af-bae3-45a3-8284-8206b08ca0ca:indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "218d787c-8b8a-4c8d-9597-89fde21e354e:indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "b7d80672-3c60-441e-9edb-b05fa96e88d1:indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "ff5d0e30-1f8f-4577-bd30-8458a3d3f93c:indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "cb0d405a-f0d2-4328-a3bc-d50e842749f3:indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "c2a276c9-b22f-4791-afd6-e0eee9b6cc05:indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index 87abed1e946..b6d7476e082 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -49,7 +49,7 @@ }, "jobs": [ { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code", + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", "config": { "groups": [ "security", @@ -69,13 +69,17 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name", "source.ip", "destination.ip", "destination.geo.continent_name", "destination.geo.country_name", - "destination.geo.country_iso_code" + "destination.geo.country_iso_code", + "source.bytes" ] }, "data_description": { @@ -88,7 +92,7 @@ } }, { - "id": "ded_high_sent_bytes_destination_ip", + "id": "ded_high_sent_bytes_destination_ip_ea", "config": { "groups": [ "security", @@ -108,10 +112,14 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name", "source.ip", - "destination.ip" + "destination.ip", + "source.bytes" ] }, "data_description": { @@ -124,7 +132,7 @@ } }, { - "id": "ded_high_sent_bytes_destination_port", + "id": "ded_high_sent_bytes_destination_port_ea", "config": { "groups": [ "security", @@ -144,11 +152,15 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name", "source.ip", "destination.ip", - "destination.port" + "destination.port", + "source.bytes" ] }, "data_description": { @@ -161,7 +173,7 @@ } }, { - "id": "ded_high_sent_bytes_destination_region_name", + "id": "ded_high_sent_bytes_destination_region_name_ea", "config": { "groups": [ "security", @@ -181,12 +193,16 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name", "source.ip", "destination.ip", "destination.geo.city_name", - "destination.geo.region_name" + "destination.geo.region_name", + "source.bytes" ] }, "data_description": { @@ -199,7 +215,7 @@ } }, { - "id": "ded_high_bytes_written_to_external_device", + "id": "ded_high_bytes_written_to_external_device_ea", "config": { "groups": [ "security", @@ -219,11 +235,15 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "file.name", "file.path", "file.Ext.device.bus_type", - "process.name" + "process.name", + "file.size" ] }, "data_description": { @@ -236,7 +256,7 @@ } }, { - "id": "ded_rare_process_writing_to_external_device", + "id": "ded_rare_process_writing_to_external_device_ea", "config": { "groups": [ "security", @@ -256,7 +276,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "file.name", "file.path", "file.Ext.device.bus_type", @@ -273,7 +296,7 @@ } }, { - "id": "ded_high_bytes_written_to_external_device_airdrop", + "id": "ded_high_bytes_written_to_external_device_airdrop_ea", "config": { "groups": [ "security", @@ -293,10 +316,14 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "file.name", "file.path", - "process.name" + "process.name", + "file.size" ] }, "data_description": { @@ -311,13 +338,13 @@ ], "datafeeds": [ { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", "query": { "bool": { "filter": [ @@ -342,13 +369,13 @@ } }, { - "id": "datafeed-ded_high_sent_bytes_destination_ip", - "job_id": "ded_high_sent_bytes_destination_ip", + "id": "datafeed-ded_high_sent_bytes_destination_ip_ea", + "job_id": "ded_high_sent_bytes_destination_ip_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_sent_bytes_destination_ip", + "job_id": "ded_high_sent_bytes_destination_ip_ea", "query": { "bool": { "filter": [ @@ -373,13 +400,13 @@ } }, { - "id": "datafeed-ded_high_sent_bytes_destination_port", - "job_id": "ded_high_sent_bytes_destination_port", + "id": "datafeed-ded_high_sent_bytes_destination_port_ea", + "job_id": "ded_high_sent_bytes_destination_port_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_sent_bytes_destination_port", + "job_id": "ded_high_sent_bytes_destination_port_ea", "query": { "bool": { "filter": [ @@ -404,13 +431,13 @@ } }, { - "id": "datafeed-ded_high_sent_bytes_destination_region_name", - "job_id": "ded_high_sent_bytes_destination_region_name", + "id": "datafeed-ded_high_sent_bytes_destination_region_name_ea", + "job_id": "ded_high_sent_bytes_destination_region_name_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_sent_bytes_destination_region_name", + "job_id": "ded_high_sent_bytes_destination_region_name_ea", "query": { "bool": { "filter": [ @@ -435,13 +462,13 @@ } }, { - "id": "datafeed-ded_high_bytes_written_to_external_device", - "job_id": "ded_high_bytes_written_to_external_device", + "id": "datafeed-ded_high_bytes_written_to_external_device_ea", + "job_id": "ded_high_bytes_written_to_external_device_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_bytes_written_to_external_device", + "job_id": "ded_high_bytes_written_to_external_device_ea", "query": { "bool": { "filter": [ @@ -475,13 +502,13 @@ } }, { - "id": "datafeed-ded_rare_process_writing_to_external_device", - "job_id": "ded_rare_process_writing_to_external_device", + "id": "datafeed-ded_rare_process_writing_to_external_device_ea", + "job_id": "ded_rare_process_writing_to_external_device_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_rare_process_writing_to_external_device", + "job_id": "ded_rare_process_writing_to_external_device_ea", "query": { "bool": { "filter": [ @@ -515,13 +542,13 @@ } }, { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop", - "job_id": "ded_high_bytes_written_to_external_device_airdrop", + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_ea", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", "query": { "bool": { "filter": [ diff --git a/packages/ded/manifest.yml b/packages/ded/manifest.yml index d6603623ef0..eb740a5c3ff 100644 --- a/packages/ded/manifest.yml +++ b/packages/ded/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: ded title: "Data Exfiltration Detection" -version: 2.4.2 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML package to detect data exfiltration in your network and file data." @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.10.1 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index aaa2818eb6b..b922a4c29f6 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes a new ML job. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "2.3.7" changes: - description: Infer dns.question.registered_domain from dns.question.name when missing, preventing false positive DGA detections on events without registered_domain. diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index d49d259b181..672a3e521ad 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -2,7 +2,7 @@ The Domain Generation Algorithm (DGA) Detection package contains assets to detect DGA activity in your network data. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under [Elastic License 2.0](https://www.elastic.co/licensing/elastic-license). -This package leverages event logs on Linux, macOS, and Windows. Prior to using this integration, you must have Elastic Endpoint via Elastic Defend, or have equivalent tools/endpoints set up. If using Elastic Defend, Elastic Defend should be installed through Elastic Agent and collecting data from hosts. See [Configure endpoint protection with Elastic Defend](https://www.elastic.co/docs/solutions/security/configure-elastic-defend) for more information. +This package supports data from Elastic Endpoint via Elastic Defend or Packetbeat on Linux, macOS, and Windows, although Elastic Defend is recommended. Prior to using this integration, Elastic Defend should be installed through Elastic Agent (or Packetbeat should be enrolled) and collecting data from hosts. See [Configure endpoint protection with Elastic Defend](https://www.elastic.co/docs/solutions/security/configure-elastic-defend) for more information. **Note**: In versions 2.0.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. @@ -12,7 +12,7 @@ The following blogs provide additional context. For the most current installatio ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Domain Generation Algorithm Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Domain Generation Algorithm Detection assets**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: @@ -77,16 +77,18 @@ The following blogs provide additional context. For the most current installatio ``` 1. **(Optional) [Create a data view](https://www.elastic.co/guide/en/kibana/current/data-views.html)** for your network logs. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see `DGA`. When you select the card, you will see a pre-configured anomaly detection job that you can create. Note this job is only useful for indices that have been enriched by the ingest pipeline. -1. **Enable detection rules**: You can also enable detection rules to alert on DGA activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine in **Security > Rules**, and can be found using the tag `Use Case: Domain Generated Algorithm Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. +### Enable detection rules + +You can also enable detection rules to alert on DGA activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine in **Security > Rules**, and can be found using the tag `Use Case: Domain Generated Algorithm Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. ![Domain Generation Detection Detection Rules](../img/dgarules.png) *In **Security > Rules**, filtering with the “Use Case: Domain Generation Algorithm Detection” tag* ## Anomaly Detection Jobs -| Job | Description | -|---|---| -| dga_high_sum_probability | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| +| Job | Description | Supported Platform | Network Protocol | +|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|------------------| +| dga_high_sum_probability_ea | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. | Linux, macOS, Windows | dns | ## Customize ML jobs for Domain Generation Algorithm Detection @@ -105,6 +107,22 @@ To customize the datafeed query and other settings such as model memory limit, f ![Domain Generation Algorithm Detection jobs](../img/dga_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New detection rules are also included. +- Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. + +The new Entity Analytics ML job IDs are: +- `dga_high_sum_probability_ea` + +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `dga_high_sum_probability` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to DGA Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index d964bfa283c..5628ef1216c 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -28,7 +28,7 @@ }, "jobs": [ { - "id": "dga_high_sum_probability", + "id": "dga_high_sum_probability_ea", "config": { "groups": [ "security", @@ -48,7 +48,8 @@ ], "influencers": [ "source.ip", - "host.name" + "host.name", + "host.id" ] }, "data_description": { @@ -63,13 +64,13 @@ ], "datafeeds": [ { - "id": "datafeed-dga_high_sum_probability", - "job_id": "dga_high_sum_probability", + "id": "datafeed-dga_high_sum_probability_ea", + "job_id": "dga_high_sum_probability_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "dga_high_sum_probability", + "job_id": "dga_high_sum_probability_ea", "query": { "bool": { "filter": [ @@ -111,4 +112,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/dga/manifest.yml b/packages/dga/manifest.yml index ee685dbb9b6..2825f46caff 100644 --- a/packages/dga/manifest.yml +++ b/packages/dga/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.4 name: dga title: "Domain Generation Algorithm Detection" -version: 2.3.7 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data." @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum screenshots: diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index 847dd9e93f4..29cccd68a7b 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs and a dashboard. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "1.0.2" changes: - description: Update documentation for data views diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index dbffaf4e393..a29c763338b 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -14,4 +14,23 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level - Custom data view ID: `.ml-anomalies-shared` _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. - ![Dashboard Error](../img/dashboard-hta-error.png) \ No newline at end of file + ![Dashboard Error](../img/dashboard-hta-error.png) + +## v2.0.0 and beyond + +v2.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. +- Previously installed `Security: Host` ML jobs will continue to run, allowing time to transition to the new Entity Analytics jobs. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. +- A new dashboard is available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs from before this version, the original dashboard without the suffix remains available. + +The new Entity Analytics ML job IDs for this dashboard are: +- `high_count_events_for_a_host_name_ea` +- `low_count_events_for_a_host_name_ea` + +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `high_count_events_for_a_host_name` + - `low_count_events_for_a_host_name` \ No newline at end of file diff --git a/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json b/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json new file mode 100644 index 00000000000..3ff74c250a6 --- /dev/null +++ b/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json @@ -0,0 +1,122 @@ +{ + "id": "hta-ea-c3773b23-471c-4168-bb02-90489161ce51", + "type": "dashboard", + "coreMigrationVersion": "8.8.0", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "attributes": { + "version": 1, + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", + "timeRestore": false, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name_ea\\n- low_count_events_for_a_host_name_ea\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link \ud83d\udd17](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name_ea\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name_ea\",\"high_count_events_for_a_host_name_ea\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name_ea\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", + "title": "Host Traffic Anomalies (Entity Analytics)" + }, + "references": [ + { + "type": "index-pattern", + "id": "logs-*", + "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" + }, + { + "type": "index-pattern", + "id": "logs-*", + "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" + }, + { + "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "type": "tag", + "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", + "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" + } + ] +} \ No newline at end of file diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index e3ee8455255..ef32d368994 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: hta title: "Host Traffic Anomalies" -version: 1.0.2 +version: 2.0.0 source: license: "Elastic-2.0" description: "Prebuilt dashboard for Machine Learning module Security: Host." @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index 0ef4d08965c..2805a3de50b 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "2.6.3" changes: - description: Update documentation for blogs/data views diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 98cf9784b92..08842daa4a3 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -16,14 +16,14 @@ If you are running version 8.18+, the Defend integration only collects a [subset ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Lateral Movement Detection**. Configure the integration name and agent policy. Click **Save and Continue**. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) -1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd_ea`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform_ea-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd_ea`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd_ea`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml-rdp-lmd`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml-rdp-lmd_ea`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Supplied configurations**. 1. Select **Lateral Movement Detection** and click **Run data recognizer**. 1. Next to the data view name you created in the previous step, click the link to "create jobs." @@ -37,14 +37,28 @@ If you are running version 8.18+, the Defend integration only collects a [subset - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` - + _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. ![Dashboard Error](../img/dashboard-lmd-error.png) -1. **Enabling detection rules**: You can also enable detection rules to alert on Lateral Movement activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Lateral Movement Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + +### Enabling detection rules + +You can also enable detection rules to alert on Lateral Movement activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Lateral Movement Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + 1. **Use with Living off the Land Detection**: This integration package can be used along with Living off the Land detection, see the section Install Living off the Land package to detect malicious processes. ![Data Exfiltration Detection Rules](../img/lmdrules.png) -*In Security > Rules, filtering with the “Use Case: Lateral Movement Detection” tag* +*In Security > Rules, filtering with the "Use Case: Lateral Movement Detection" tag* + +## Transform + +To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. + +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|------------------------|--------------------------------------------------------|--------------|-------------------|-------|--------------------|----------------| +| lmd.pivot_transform_ea | Collects RDP session information from your environment | logs-* | ml-rdp-lmd_ea | | Windows | process | + +When querying the destination index (`ml-rdp-lmd_ea`) for RDP session logs, we advise using the destination index directly. In the event that the underlying package is upgraded, it will aid in maintaining the previous findings. ## Dashboard @@ -55,7 +69,7 @@ After the anomaly detectors and the data views for the dashboard are configured, To customize filters in the Lateral Movement Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Lateral Movement Detection transform](../img/lmd_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Lateral Movement Detection transform](../img/lmd_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -67,7 +81,7 @@ To customize filters in the Lateral Movement Detection transform, follow the bel ### Install ProblemChild package to detect malicious processes -To detect malicious RDP processes started in a session, install the [Living off the Land Attack (LotL) Detection package](https://docs.elastic.co/integrations/problemchild). Follow the steps under the package [overview](https://docs.elastic.co/integrations/problemchild) to install the related assets. Use the below filter query to examine model predictions on RDP events only. +To detect malicious RDP processes started in a session, install the [Living off the Land Attack (LotL) Detection package](https://docs.elastic.co/integrations/problemchild). Follow the steps under the package [overview](https://docs.elastic.co/integrations/problemchild) to install the related assets. Use the below filter query to examine model predictions on RDP events only. Clone the anomaly detection jobs available under the Living off the Land Attack (LotL) Detection package and follow the below steps to customize them only to process Windows RDP events in the datafeed: 1. Click on the **Actions** panel at the right-most corner of the anomaly detection job and then select the **Edit job** option. @@ -128,23 +142,23 @@ Clone the anomaly detection jobs available under the Living off the Land Attack } ```` -## Anomaly Detection Jobs +## Anomaly Detection Jobs Detects potential lateral movement activity by identifying malicious file transfers and RDP sessions in an environment. -| Job | Description | Supported Platform | -|-------------------------------------------------------|-------------------------------------------------------------------------------------------------| --------------------- | -| lmd_high_count_remote_file_transfer | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | -| lmd_high_file_size_remote_file_transfer | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | -| lmd_rare_file_extension_remote_transfer | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | -| lmd_rare_file_path_remote_transfer | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | -| lmd_high_mean_rdp_session_duration | Detects unusually high mean of RDP session duration. | Windows | -| lmd_high_var_rdp_session_duration | Detects unusually high variance in RDP session duration. | Windows | -| lmd_high_sum_rdp_number_of_processes | Detects unusually high number of processes started in a single RDP session. | Windows | -| lmd_unusual_time_weekday_rdp_session_start | Detects an RDP session started at an usual time or weekday. | Windows | -| lmd_high_rdp_distinct_count_source_ip_for_destination | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | -| lmd_high_rdp_distinct_count_destination_ip_for_source | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | -| lmd_high_mean_rdp_process_args | Detects unusually high number of process arguments in an RDP session. | Windows | +| Job | Description | Supported Platform | Filter Field | +|----------------------------------------------------------|-------------------------------------------------------------------------------------------------|-----------------------|-----------------------------| +| lmd_high_count_remote_file_transfer_ea | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | `event.category: file` | +| lmd_high_file_size_remote_file_transfer_ea | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | `event.category: file` | +| lmd_rare_file_extension_remote_transfer_ea | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | `event.category: file` | +| lmd_rare_file_path_remote_transfer_ea | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | `event.category: file` | +| lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | Windows | `session.start_time` exists | +| lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | Windows | `session.start_time` exists | +| lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | Windows | `session.start_time` exists | +| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an unusual time or weekday. | Windows | `session.start_time` exists | +| lmd_high_rdp_distinct_count_source_ip_for_destination_ea | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | `session.start_time` exists | +| lmd_high_rdp_distinct_count_destination_ip_for_source_ea | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | `session.start_time` exists | +| lmd_high_mean_rdp_process_args_ea | Detects unusually high number of process arguments in an RDP session. | Windows | `session.start_time` exists | ## Customize ML jobs for Lateral Movement Detection @@ -159,10 +173,53 @@ To customize the datafeed query and other settings such as model memory limit, f ![Lateral Movement Detection jobs](../img/lmd_ml_job_4.png) 1. In the cloned job, you can update datafeed settings such as **Frequency** and **Query delay**, which help control how often data is analyzed and account for ingestion delays. ![Lateral Movement Detection jobs](../img/lmd_ml_job_5.png) -1. You can also modify the job configuration by adjusting the **Bucket span** and by adding or removing **Influencers** to improve anomaly attribution. +1. You can also modify the job configuration by adjusting the **Bucket span** and by adding or removing **Influencers** to improve anomaly attribution. ![Lateral Movement Detection jobs](../img/lmd_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. + +The new Entity Analytics ML job IDs are: +- `lmd_high_count_remote_file_transfer_ea` +- `lmd_high_file_size_remote_file_transfer_ea` +- `lmd_rare_file_extension_remote_transfer_ea` +- `lmd_rare_file_path_remote_transfer_ea` +- `lmd_high_mean_rdp_session_duration_ea` +- `lmd_high_var_rdp_session_duration_ea` +- `lmd_high_sum_rdp_number_of_processes_ea` +- `lmd_unusual_time_weekday_rdp_session_start_ea` +- `lmd_high_rdp_distinct_count_source_ip_for_destination_ea` +- `lmd_high_rdp_distinct_count_destination_ip_for_source_ea` +- `lmd_high_mean_rdp_process_args_ea` + +The new Entity Analytics transforms are: +- `lmd.pivot_transform_ea` → destination index: `ml-rdp-lmd_ea` + +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack v9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `lmd_high_count_remote_file_transfer` + - `lmd_high_file_size_remote_file_transfer` + - `lmd_rare_file_extension_remote_transfer` + - `lmd_rare_file_path_remote_transfer` + - `lmd_high_mean_rdp_session_duration` + - `lmd_high_var_rdp_session_duration` + - `lmd_high_sum_rdp_number_of_processes` + - `lmd_unusual_time_weekday_rdp_session_start` + - `lmd_high_rdp_distinct_count_source_ip_for_destination` + - `lmd_high_rdp_distinct_count_destination_ip_for_source` + - `lmd_high_mean_rdp_process_args` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `lmd.pivot_transform` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Lateral Movement Detection, we recommend upgrading to v2.0.0 after doing the following: @@ -193,7 +250,7 @@ Depending on the version of the package you're using, you might also be able to - Unusually high number of process arguments in an RDP session - Spike in number of connections made to a source IP - Spike in number of connections made to a destination IP - - Unusual time or day for an RDP session start + - Unusual time or day for an RDP session start Depending on the version of the package you're using, you might also be able to search for the above rules using the tag `Lateral Movement`. - Upgrade the Lateral Movement Detection package to v2.0.0 using the steps [here](https://www.elastic.co/guide/en/fleet/current/upgrade-integration.html) diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml similarity index 80% rename from packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index b9902f5cfe8..665050391f0 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,7 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name +- external: ecs + name: user.id +- external: ecs + name: event.module - name: process.Ext.authentication_id type: keyword - external: ecs diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml similarity index 91% rename from packages/lmd/elasticsearch/transform/pivot_transform/transform.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml index 29bd9a71776..1eb0cf4a308 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -29,7 +29,7 @@ source: script: source: "if (doc['host.ip'].size() != 0){emit(doc['host.ip'][0]);}" dest: - index: "ml-rdp-lmd" + index: "ml-rdp-lmd_ea" description: This transform runs hourly and collects windows RDP session information for Lateral Movement Detection package. frequency: 1h pivot: @@ -56,12 +56,21 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'destination.ip': terms: field: destination.ip 'user.name': terms: field: user.name + user.id: + terms: + field: user.id + event.module: + terms: + field: event.module 'source.ip': terms: field: process.Ext.session_info.client_address @@ -77,5 +86,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 2.6.3 + fleet_transform_version: 3.0.0 run_as_kibana_system: false diff --git a/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json b/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json new file mode 100644 index 00000000000..9c6de2ce45f --- /dev/null +++ b/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "This dashboard provides an overview of anomalies found for Lateral Movement Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"lmd_high_count_remote_file_transfer_ea\\\" or job_id:\\\"lmd_high_file_size_remote_file_transfer_ea\\\" or job_id:\\\"lmd_rare_file_extension_remote_transfer_ea\\\" or job_id :\\\"lmd_rare_file_path_remote_transfer_ea\\\" or job_id :\\\"lmd_high_mean_rdp_session_duration_ea\\\" or job_id :\\\"lmd_high_var_rdp_session_duration_ea\\\" or job_id :\\\"lmd_high_sum_rdp_number_of_processes_ea\\\" or job_id :\\\"lmd_high_rdp_distinct_count_source_ip_for_destination_ea\\\" or job_id :\\\"lmd_high_rdp_distinct_count_destination_ip_for_source_ea\\\" or job_id :\\\"lmd_unusual_time_weekday_rdp_session_start_ea\\\" or job_id :\\\"lmd_high_mean_rdp_process_args_ea\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":10,\"i\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\"},\"panelIndex\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443\"}],\"state\":{\"visualization\":{\"layerId\":\"fb918fff-0676-4792-9732-8fbe6db41443\",\"accessor\":\"3e03ad31-53f7-4def-b8e4-4192da864d19\",\"layerType\":\"data\",\"colorMode\":\"None\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fb918fff-0676-4792-9732-8fbe6db41443\":{\"columns\":{\"3e03ad31-53f7-4def-b8e4-4192da864d19\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3e03ad31-53f7-4def-b8e4-4192da864d19\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":10,\"i\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\"},\"panelIndex\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\",\"accessors\":[\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\":{\"columns\":{\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\":{\"label\":\"Count of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\",\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total anomalies associated with lateral movement activity per day\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\"},\"panelIndex\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"isTransposed\":false},{\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\",\"isTransposed\":false}],\"layerId\":\"6c1a1848-2234-42b9-b1fe-e41fca887639\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c1a1848-2234-42b9-b1fe-e41fca887639\":{\"columns\":{\"909d15b9-b715-43ef-81ba-0dcf9701ff85\":{\"label\":\"Host name > User name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"320f61a2-071f-4023-b51f-fc744c040995\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"320f61a2-071f-4023-b51f-fc744c040995\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 host and user names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":15,\"i\":\"636abb14-59a8-4a1e-a426-5db922669b22\"},\"panelIndex\":\"636abb14-59a8-4a1e-a426-5db922669b22\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"isTransposed\":false},{\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\",\"isTransposed\":false}],\"layerId\":\"188c9419-9baa-4af7-846c-d2fe2c838eb1\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"188c9419-9baa-4af7-846c-d2fe2c838eb1\":{\"columns\":{\"2ea20970-94b6-42d3-bded-af75d15d6708\":{\"label\":\"Process name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"4ccfc545-539c-43f5-ac35-cf6800bcd970\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 process names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":12,\"i\":\"d38dee87-a80a-4613-ae67-455886f1097e\"},\"panelIndex\":\"d38dee87-a80a-4613-ae67-455886f1097e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\",\"accessors\":[\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\":{\"columns\":{\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\":{\"label\":\"File name > File directory\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file_directory\"]},\"customLabel\":true},\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\",\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 combination of file names and directories affected by lateral movement activity\"}]", + "timeRestore": false, + "title": "Lateral Movement Detection Dashboard (Entity Analytics)", + "version": 2 + }, + "coreMigrationVersion": "8.5.1", + "id": "lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362", + "migrationVersion": { + "dashboard": "8.5.0" + }, + "references": [ + { + "id": ".ml-anomalies-shared", + "name": "ddb33c4a-9eff-4d40-92c9-297d76d91eea:indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "70033600-0e2e-4208-a258-a0b47e5a4e1b:indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "c0ee749a-576c-4da0-b51d-2ef364085fb5:indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "636abb14-59a8-4a1e-a426-5db922669b22:indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "d38dee87-a80a-4613-ae67-455886f1097e:indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 5cd9f2b19b0..3562dbf5cd3 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -39,7 +39,7 @@ }, "jobs": [ { - "id": "lmd_high_count_remote_file_transfer", + "id": "lmd_high_count_remote_file_transfer_ea", "config": { "groups": [ "security", @@ -59,7 +59,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "event.action", "process.name" ] }, @@ -73,7 +77,7 @@ } }, { - "id": "lmd_high_file_size_remote_file_transfer", + "id": "lmd_high_file_size_remote_file_transfer_ea", "config": { "groups": [ "security", @@ -93,8 +97,12 @@ ], "influencers": [ "host.name", + "host.id", "user.name", - "process.name" + "event.module", + "user.id", + "process.name", + "file.size" ] }, "data_description": { @@ -107,7 +115,7 @@ } }, { - "id": "lmd_rare_file_extension_remote_transfer", + "id": "lmd_rare_file_extension_remote_transfer_ea", "config": { "groups": [ "security", @@ -127,7 +135,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "file.extension", "file.name" ] }, @@ -141,7 +153,7 @@ } }, { - "id": "lmd_rare_file_path_remote_transfer", + "id": "lmd_rare_file_path_remote_transfer_ea", "config": { "groups": [ "security", @@ -161,7 +173,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "file_directory", "file.path" ] }, @@ -175,7 +191,7 @@ } }, { - "id": "lmd_high_mean_rdp_session_duration", + "id": "lmd_high_mean_rdp_session_duration_ea", "config": { "groups": [ "security", @@ -202,9 +218,13 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "source.ip", - "destination.ip" + "destination.ip", + "session.duration" ] }, "data_description": { @@ -217,7 +237,7 @@ } }, { - "id": "lmd_high_var_rdp_session_duration", + "id": "lmd_high_var_rdp_session_duration_ea", "config": { "groups": [ "security", @@ -244,9 +264,13 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "source.ip", - "destination.ip" + "destination.ip", + "session.duration" ] }, "data_description": { @@ -259,7 +283,7 @@ } }, { - "id": "lmd_high_sum_rdp_number_of_processes", + "id": "lmd_high_sum_rdp_number_of_processes_ea", "config": { "groups": [ "security", @@ -286,9 +310,13 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "source.ip", - "destination.ip" + "destination.ip", + "number_processes_per_session" ] }, "data_description": { @@ -301,7 +329,7 @@ } }, { - "id": "lmd_unusual_time_weekday_rdp_session_start", + "id": "lmd_unusual_time_weekday_rdp_session_start_ea", "config": { "groups": [ "security", @@ -320,7 +348,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "destination.ip", "source.ip" ] @@ -335,7 +366,7 @@ } }, { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination", + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", "config": { "groups": [ "security", @@ -355,8 +386,12 @@ ], "influencers": [ "host.name", + "host.id", "user.name", - "destination.ip" + "event.module", + "user.id", + "destination.ip", + "source.ip" ] }, "data_description": { @@ -369,7 +404,7 @@ } }, { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source", + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", "config": { "groups": [ "security", @@ -389,8 +424,12 @@ ], "influencers": [ "host.name", + "host.id", "user.name", - "source.ip" + "event.module", + "user.id", + "source.ip", + "destination.ip" ] }, "data_description": { @@ -403,7 +442,7 @@ } }, { - "id": "lmd_high_mean_rdp_process_args", + "id": "lmd_high_mean_rdp_process_args_ea", "config": { "groups": [ "security", @@ -430,9 +469,13 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "source.ip", - "destination.ip" + "destination.ip", + "total_length_process_args" ] }, "data_description": { @@ -447,13 +490,13 @@ ], "datafeeds": [ { - "id": "datafeed-lmd_high_count_remote_file_transfer", - "job_id": "lmd_high_count_remote_file_transfer", + "id": "datafeed-lmd_high_count_remote_file_transfer_ea", + "job_id": "lmd_high_count_remote_file_transfer_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_count_remote_file_transfer", + "job_id": "lmd_high_count_remote_file_transfer_ea", "query": { "bool": { "must_not": [ @@ -505,13 +548,13 @@ } }, { - "id": "datafeed-lmd_high_file_size_remote_file_transfer", - "job_id": "lmd_high_file_size_remote_file_transfer", + "id": "datafeed-lmd_high_file_size_remote_file_transfer_ea", + "job_id": "lmd_high_file_size_remote_file_transfer_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_file_size_remote_file_transfer", + "job_id": "lmd_high_file_size_remote_file_transfer_ea", "query": { "bool": { "must_not": [ @@ -563,13 +606,13 @@ } }, { - "id": "datafeed-lmd_rare_file_extension_remote_transfer", - "job_id": "lmd_rare_file_extension_remote_transfer", + "id": "datafeed-lmd_rare_file_extension_remote_transfer_ea", + "job_id": "lmd_rare_file_extension_remote_transfer_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_rare_file_extension_remote_transfer", + "job_id": "lmd_rare_file_extension_remote_transfer_ea", "query": { "bool": { "must_not": [ @@ -621,13 +664,13 @@ } }, { - "id": "datafeed-lmd_high_mean_rdp_session_duration", - "job_id": "lmd_high_mean_rdp_session_duration", + "id": "datafeed-lmd_high_mean_rdp_session_duration_ea", + "job_id": "lmd_high_mean_rdp_session_duration_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_mean_rdp_session_duration", + "job_id": "lmd_high_mean_rdp_session_duration_ea", "query": { "bool": { "filter": [ @@ -652,13 +695,13 @@ } }, { - "id": "datafeed-lmd_high_var_rdp_session_duration", - "job_id": "lmd_high_var_rdp_session_duration", + "id": "datafeed-lmd_high_var_rdp_session_duration_ea", + "job_id": "lmd_high_var_rdp_session_duration_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_var_rdp_session_duration", + "job_id": "lmd_high_var_rdp_session_duration_ea", "query": { "bool": { "filter": [ @@ -683,13 +726,13 @@ } }, { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes", - "job_id": "lmd_high_sum_rdp_number_of_processes", + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_ea", + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_sum_rdp_number_of_processes", + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", "query": { "bool": { "filter": [ @@ -714,13 +757,13 @@ } }, { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start", - "job_id": "lmd_unusual_time_weekday_rdp_session_start", + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_ea", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", "query": { "bool": { "filter": [ @@ -745,13 +788,13 @@ } }, { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", "query": { "bool": { "filter": [ @@ -776,13 +819,13 @@ } }, { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", "query": { "bool": { "filter": [ @@ -807,13 +850,13 @@ } }, { - "id": "datafeed-lmd_high_mean_rdp_process_args", - "job_id": "lmd_high_mean_rdp_process_args", + "id": "datafeed-lmd_high_mean_rdp_process_args_ea", + "job_id": "lmd_high_mean_rdp_process_args_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_high_mean_rdp_process_args", + "job_id": "lmd_high_mean_rdp_process_args_ea", "query": { "bool": { "filter": [ @@ -838,13 +881,13 @@ } }, { - "id": "datafeed-lmd_rare_file_path_remote_transfer", - "job_id": "lmd_rare_file_path_remote_transfer", + "id": "datafeed-lmd_rare_file_path_remote_transfer_ea", + "job_id": "lmd_rare_file_path_remote_transfer_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "lmd_rare_file_path_remote_transfer", + "job_id": "lmd_rare_file_path_remote_transfer_ea", "query": { "bool": { "must_not": [ @@ -911,4 +954,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/lmd/manifest.yml b/packages/lmd/manifest.yml index a255abc0acd..4a4eab02480 100644 --- a/packages/lmd/manifest.yml +++ b/packages/lmd/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: lmd title: "Lateral Movement Detection" -version: 2.6.3 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events." @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index 0ef2e058e41..5c986095893 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "1.1.2" changes: - description: Update documentation for data views diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 0016f65405c..94bf0b48565 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -7,6 +7,7 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and ## Installation +1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Privileged Access Detection**. Configure the integration name and agent policy. Click **Save and Continue**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: - If using Elastic Defend, add a custom pipeline to the data stream. Go to **Stack Management > Ingest Pipelines**, and check if the pipeline `logs-endpoint.events.process@custom` exists. @@ -62,12 +63,12 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and ``` POST INDEX_NAME/_rollover ``` -1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad.all` and `ml_okta_multiple_user_sessions_pad.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_multiple_sessions-default-` and `logs-pad.pivot_transform_windows_privilege_list-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad.all` and `ml_windows_privilege_type_pad.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad_ea.all` and `ml_okta_multiple_user_sessions_pad_ea.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_sessions_ea-default-` and `logs-pad.pivot_transform_win_privilege_list_ea-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad_ea.all` and `ml_windows_privilege_type_pad_ea.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad.all, ml_windows_privilege_type_pad.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad_ea.all, ml_windows_privilege_type_pad_ea.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad.all, ml_windows_privilege_type_pad.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad_ea.all, ml_windows_privilege_type_pad_ea.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Privileged Access Detection**. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [pad-ml file](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json#L10). Additionally, we recommend backdating the datafeed for these anomaly detection jobs to a specific timeframe, as some datafeed queries are resource-intensive and may lead to query delays. We advise you to start the datafeed with 2-3 months' worth of data. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. @@ -87,19 +88,19 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | -|--------------------------------------------|--------------------------------------------------------------------|---------------|------------------------------------------------|--------------------------------------- | ------------------ | -| pad.pivot_transform_okta_multiple_sessions | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad-[version] | ml_okta_multiple_user_sessions_pad.all | Okta | -| pad.pivot_transform_windows_privilege_type | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad-[version] | ml_windows_privilege_type_pad.all | Windows | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | +|-------------------------------------------|-------------------------------------------------------------------|--------------|-------------------------------------------------|-------------------------------------------|--------------------| +| pad.pivot_transform_okta_sessions_ea | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_ea-[version] | ml_okta_multiple_user_sessions_pad_ea.all | Okta | +| pad.pivot_transform_win_privilege_list_ea | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_ea-[version] | ml_windows_privilege_type_pad_ea.all | Windows | -When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad.all` and `ml_windows_privilege_type_pad.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad_ea.all` and `ml_windows_privilege_type_pad_ea.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Privileged Access Detection Transform To customize filters in the Privileged Access Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp` and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Privileged Access Detection transform](../img/pad_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_windows_privilege_list-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_win_privilege_list_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Privileged Access Detection transform](../img/pad_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -111,29 +112,29 @@ To customize filters in the Privileged Access Detection transform, follow the be ### Anomaly Detection Jobs -| Job | Description | Supported Platform | -|------------------------------------------------------------|------------------------------------------------------------------------------------------------|----------------------| -| pad_windows_high_count_special_logon_events | Detects unusually high special logon events initiated by a user. | Windows | -| pad_windows_high_count_special_privilege_use_events | Detects unusually high special privilege use events initiated by a user. | Windows | -| pad_windows_high_count_group_management_events | Detects unusually high security group management events initiated by a user. | Windows | -| pad_windows_high_count_user_account_management_events | Detects unusually high security user account management events initiated by a user. | Windows | -| pad_windows_rare_privilege_assigned_to_user | Detects an unusual privilege type assigned to a user. | Windows | -| pad_windows_rare_group_name_by_user | Detects an unusual group name accessed by a user. | Windows | -| pad_windows_rare_device_by_user | Detects an unusual device accessed by a user. | Windows | -| pad_windows_rare_source_ip_by_user | Detects an unusual source IP address accessed by a user. | Windows | -| pad_windows_rare_region_name_by_user | Detects an unusual region name for a user. | Windows | -| pad_linux_high_count_privileged_process_events_by_user | Detects a spike in privileged commands executed by a user. | Linux | -| pad_linux_rare_process_executed_by_user | Detects a rare process executed by a user. | Linux | -| pad_linux_high_median_process_command_line_entropy_by_user | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | -| pad_okta_spike_in_group_membership_changes | Detects spike in group membership change events by a user. | Okta Integration | -| pad_okta_spike_in_user_lifecycle_management_changes | Detects spike in user lifecycle management change events by a user. | Okta Integration | -| pad_okta_spike_in_group_privilege_changes | Detects spike in group privilege change events by a user. | Okta Integration | -| pad_okta_spike_in_group_application_assignment_change | Detects spike in group application assignment change events by a user. | Okta Integration | -| pad_okta_spike_in_group_lifecycle_changes | Detects spike in group lifecycle change events by a user. | Okta Integration | -| pad_okta_high_sum_concurrent_sessions_by_user | Detects an unusual sum of active sessions started by a user. | Okta Integration | -| pad_okta_rare_source_ip_by_user | Detects an unusual source IP address accessed by a user. | Okta Integration | -| pad_okta_rare_region_name_by_user | Detects an unusual region name for a user. | Okta Integration | -| pad_okta_rare_host_name_by_user | Detects an unusual host name for a user. | Okta Integration | +| Job | Description | Supported Platform | Filter Field | +|---------------------------------------------------------------|------------------------------------------------------------------------------------------------|--------------------|-------------------------------------| +| pad_windows_high_count_special_logon_events_ea | Detects unusually high special logon events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_special_privilege_use_events_ea | Detects unusually high special privilege use events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_group_management_events_ea | Detects unusually high security group management events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_user_account_management_events_ea | Detects unusually high security user account management events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_privilege_assigned_to_user_ea | Detects an unusual privilege type assigned to a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_group_name_by_user_ea | Detects an unusual group name accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_device_by_user_ea | Detects an unusual device accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Windows | `host.os.type: windows` | +| pad_linux_high_count_privileged_process_events_by_user_ea | Detects a spike in privileged commands executed by a user. | Linux | `host.os.type: linux` | +| pad_linux_rare_process_executed_by_user_ea | Detects a rare process executed by a user. | Linux | `host.os.type: linux` | +| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Linux | `host.os.type: linux` | +| pad_okta_spike_in_group_membership_changes_ea | Detects spike in group membership change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_user_lifecycle_management_changes_ea | Detects spike in user lifecycle management change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_privilege_changes_ea | Detects spike in group privilege change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_application_assignment_changes_ea | Detects spike in group application assignment change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_lifecycle_changes_ea | Detects spike in group lifecycle change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_high_sum_concurrent_sessions_by_user_ea | Detects an unusual sum of active sessions started by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_host_name_by_user_ea | Detects an unusual host name for a user. | Okta Integration | `data_stream.dataset: okta.system` | ## Customize ML jobs for Privileged Access Detection @@ -152,6 +153,71 @@ To customize the datafeed query and other settings such as model memory limit, f ![Privileged Access Detection jobs](../img/pad_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v2.0.0 and beyond + +v2.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. + +The new Entity Analytics ML job IDs are: +- `pad_windows_high_count_special_logon_events_ea` +- `pad_windows_high_count_special_privilege_use_events_ea` +- `pad_windows_high_count_group_management_events_ea` +- `pad_windows_high_count_user_account_management_events_ea` +- `pad_windows_rare_privilege_assigned_to_user_ea` +- `pad_windows_rare_group_name_by_user_ea` +- `pad_windows_rare_device_by_user_ea` +- `pad_windows_rare_source_ip_by_user_ea` +- `pad_windows_rare_region_name_by_user_ea` +- `pad_linux_high_count_privileged_process_events_by_user_ea` +- `pad_linux_rare_process_executed_by_user_ea` +- `pad_linux_high_median_process_command_line_entropy_by_user_ea` +- `pad_okta_spike_in_group_membership_changes_ea` +- `pad_okta_spike_in_user_lifecycle_management_changes_ea` +- `pad_okta_spike_in_group_privilege_changes_ea` +- `pad_okta_spike_in_group_application_assignment_changes_ea` +- `pad_okta_spike_in_group_lifecycle_changes_ea` +- `pad_okta_high_sum_concurrent_sessions_by_user_ea` +- `pad_okta_rare_source_ip_by_user_ea` +- `pad_okta_rare_region_name_by_user_ea` +- `pad_okta_rare_host_name_by_user_ea` + +The new Entity Analytics transforms are: +- `pad.pivot_transform_okta_sessions_ea` → destination index: `ml_okta_multiple_user_sessions_pad_ea-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_ea.latest`, `ml_okta_multiple_user_sessions_pad_ea.all` +- `pad.pivot_transform_win_privilege_list_ea` → destination index: `ml_windows_privilege_type_pad_ea-2.0.0`, alias: `ml_windows_privilege_type_pad_ea.latest`, `ml_windows_privilege_type_pad_ea.all` + +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `pad_windows_high_count_special_logon_events` + - `pad_windows_high_count_special_privilege_use_events` + - `pad_windows_high_count_group_management_events` + - `pad_windows_high_count_user_account_management_events` + - `pad_windows_rare_privilege_assigned_to_user` + - `pad_windows_rare_group_name_by_user` + - `pad_windows_rare_device_by_user` + - `pad_windows_rare_source_ip_by_user` + - `pad_windows_rare_region_name_by_user` + - `pad_linux_high_count_privileged_process_events_by_user` + - `pad_linux_rare_process_executed_by_user` + - `pad_linux_high_median_process_command_line_entropy_by_user` + - `pad_okta_spike_in_group_membership_changes` + - `pad_okta_spike_in_user_lifecycle_management_changes` + - `pad_okta_spike_in_group_privilege_changes` + - `pad_okta_spike_in_group_application_assignment_changes` + - `pad_okta_spike_in_group_lifecycle_changes` + - `pad_okta_high_sum_concurrent_sessions_by_user` + - `pad_okta_rare_source_ip_by_user` + - `pad_okta_rare_region_name_by_user` + - `pad_okta_rare_host_name_by_user` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `pad.pivot_transform_okta_multiple_sessions` + - `pad.pivot_transform_windows_privilege_list` + ## Licensing Usage in production requires that you have a license key that permits use of machine learning features. \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml similarity index 68% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index b483e7269cc..b55ab249b6e 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -1,5 +1,9 @@ - external: ecs - name: source.user.name + name: user.name +- external: ecs + name: user.email +- external: ecs + name: event.module - external: ecs name: source.user.full_name - name: okta_distinct_ips @@ -10,5 +14,7 @@ type: long - external: ecs name: agent.name +- external: ecs + name: host.name - external: ecs name: '@timestamp' diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml similarity index 78% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml index 12b72966229..14ce72db8fc 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml @@ -18,11 +18,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_okta_multiple_user_sessions_pad-1.1.2 + index: ml_okta_multiple_user_sessions_pad_ea-2.0.0 aliases: - - alias: ml_okta_multiple_user_sessions_pad.latest + - alias: ml_okta_multiple_user_sessions_pad_ea.latest move_on_creation: true - - alias: ml_okta_multiple_user_sessions_pad.all + - alias: ml_okta_multiple_user_sessions_pad_ea.all move_on_creation: false description: This transform runs hourly and collects user session information for Okta events for the Privileged Access Detection package. frequency: 1h @@ -39,9 +39,18 @@ pivot: term: 'okta.event_type': "user.session.end" group_by: - 'source.user.name': + 'user.name': terms: - field: source.user.name + field: user.name + 'user.email': + terms: + field: user.email + event.module: + terms: + field: event.module + 'host.name': + terms: + field: host.name 'agent.name': terms: field: agent.name @@ -61,5 +70,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.2 + fleet_transform_version: 2.0.0 run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml similarity index 71% rename from packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml index ca19fa4519a..b4d9ac8018f 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml @@ -1,7 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name +- external: ecs + name: user.id +- external: ecs + name: event.module - name: privilege_type type: keyword - external: ecs diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml similarity index 84% rename from packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml index 57b6adb6fbe..f9490fcf66a 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml @@ -20,11 +20,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_windows_privilege_type_pad-1.1.2 + index: ml_windows_privilege_type_pad_ea-2.0.0 aliases: - - alias: ml_windows_privilege_type_pad.latest + - alias: ml_windows_privilege_type_pad_ea.latest move_on_creation: true - - alias: ml_windows_privilege_type_pad.all + - alias: ml_windows_privilege_type_pad_ea.all move_on_creation: false description: This transform runs hourly and collects special privileges assigned to a user in the Windows events for the Privileged Access Detection package. frequency: 1h @@ -37,9 +37,18 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'user.name': terms: field: user.name + user.id: + terms: + field: user.id + event.module: + terms: + field: event.module 'privilege_type': terms: field: winlog.event_data.PrivilegeList @@ -61,5 +70,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.2 + fleet_transform_version: 2.0.0 run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json index b65abbbed28..c3c6b293b23 100644 --- a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json +++ b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" or \\\"pad_windows_rare_region_name_by_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_windows_high_count_group_management_events, pad_windows_high_count_special_logon_events, pad_windows_high_count_special_privilege_use_events, pad_windows_high_count_user_account_management_events, pad_windows_rare_device_by_user, pad_windows_rare_group_name_by_user, pad_windows_rare_privilege_assigned_to_user, pad_windows_rare_region_name_by_user, pad_windows_rare_source_ip_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Windows]", "version": 1 diff --git a/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json new file mode 100644 index 00000000000..f3e76cd3dd3 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_ea\\\" or \\\"pad_windows_high_count_special_logon_events_ea\\\" or \\\"pad_windows_high_count_special_privilege_use_events_ea\\\" or \\\"pad_windows_high_count_user_account_management_events_ea\\\" or \\\"pad_windows_rare_device_by_user_ea\\\" or \\\"pad_windows_rare_group_name_by_user_ea\\\" or \\\"pad_windows_rare_source_ip_by_user_ea\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_ea\\\" or \\\"pad_windows_rare_region_name_by_user_ea\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_ea\",\"pad_windows_high_count_special_logon_events_ea\",\"pad_windows_high_count_special_privilege_use_events_ea\",\"pad_windows_high_count_user_account_management_events_ea\",\"pad_windows_rare_device_by_user_ea\",\"pad_windows_rare_group_name_by_user_ea\",\"pad_windows_rare_privilege_assigned_to_user_ea\",\"pad_windows_rare_region_name_by_user_ea\",\"pad_windows_rare_source_ip_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_windows_high_count_group_management_events_ea, pad_windows_high_count_special_logon_events_ea, pad_windows_high_count_special_privilege_use_events_ea, pad_windows_high_count_user_account_management_events_ea, pad_windows_rare_device_by_user_ea, pad_windows_rare_group_name_by_user_ea, pad_windows_rare_privilege_assigned_to_user_ea, pad_windows_rare_region_name_by_user_ea, pad_windows_rare_source_ip_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Windows] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c969fd47-15df-4011-8fa3-2a27825ad0f6:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "26531c0e-a776-4e6f-badd-8766f77d9134:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271a8d58-3d1b-44d9-93da-338c9f91867a:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "502e0249-fc8c-4d26-8f1e-d8f434d8e7c7:indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "920f2dd3-3628-4298-866a-da34c82431c2:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "02255922-d40f-4757-92c2-b53596a73f5e:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5318144f-ddf3-4f86-919f-0192feec779f:indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0d20b661-2d10-4b29-8c22-74411dd468cb:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "8c0e0fe0-dbe3-4444-a341-b57559b4a7c0:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "2762a942-0d53-4420-82c2-72bd991e7e7d:indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json b/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json new file mode 100644 index 00000000000..70d88610984 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Linux logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user_ea\\\" or \\\"pad_linux_rare_process_executed_by_user_ea\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user_ea\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user_ea\",\"pad_linux_high_median_process_command_line_entropy_by_user_ea\",\"pad_linux_rare_process_executed_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_ea, pad_linux_high_median_process_command_line_entropy_by_user_ea, pad_linux_rare_process_executed_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Linux] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5f659483-b424-415f-aea1-c36bd1f65b0a:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5183abf0-ed13-455e-9f43-4f03c1d8738f:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "69788132-8446-4d88-baef-81dbb0c34bbb:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fa9be72f-18d4-4054-85a1-6c35f3a44406:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "437c12af-ddd9-4ffa-a43f-df5693028ae3:indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a86a0e06-7e5c-4cf5-9e52-884a1b83f00d:indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ef4641fe-8802-4ca1-aae2-e4a7fdf80c25:indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json b/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json new file mode 100644 index 00000000000..03f2e2535a5 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Okta system logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes_ea\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes_ea\\\" or \\\"pad_okta_spike_in_group_privilege_changes_ea\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes_ea\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes_ea\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user_ea\\\" or \\\"pad_okta_rare_source_ip_by_user_ea\\\" or \\\"pad_okta_rare_region_name_by_user_ea\\\" or \\\"pad_okta_rare_host_name_by_user_ea\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user_ea\",\"pad_okta_rare_host_name_by_user_ea\",\"pad_okta_rare_region_name_by_user_ea\",\"pad_okta_rare_source_ip_by_user_ea\",\"pad_okta_spike_in_group_application_assignment_changes_ea\",\"pad_okta_spike_in_group_lifecycle_changes_ea\",\"pad_okta_spike_in_group_membership_changes_ea\",\"pad_okta_spike_in_group_privilege_changes_ea\",\"pad_okta_spike_in_user_lifecycle_management_changes_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user_ea, pad_okta_rare_host_name_by_user_ea, pad_okta_rare_region_name_by_user_ea, pad_okta_rare_source_ip_by_user_ea, pad_okta_spike_in_group_application_assignment_changes_ea, pad_okta_spike_in_group_lifecycle_changes_ea, pad_okta_spike_in_group_membership_changes_ea, pad_okta_spike_in_group_privilege_changes_ea, pad_okta_spike_in_user_lifecycle_management_changes_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Okta] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "9102c38b-a4e9-4219-97f8-b2e000bd3af6:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c2594a80-809a-4db9-949f-c23de974e903:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fe8ca082-0cbb-4e64-87c0-71b580b22776:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "87db855a-4b1c-43b0-92f7-23d991abc98d:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "64a3d12e-87fc-4161-86bf-d10e47cb2131:indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "27b2661e-490f-4f5c-80b5-7021b64528da:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1f7cd6af-eee1-4456-a555-e257acb9dbae:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "151ae1ee-f82f-4233-8901-4b54548fa92f:indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index c91ab105138..0471bb99eb0 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -76,7 +76,7 @@ }, "jobs": [ { - "id": "pad_windows_high_count_special_logon_events", + "id": "pad_windows_high_count_special_logon_events_ea", "config": { "groups": [ "security", @@ -97,7 +97,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.PrivilegeList", "winlog.event_data.TargetUserName", @@ -114,7 +118,7 @@ } }, { - "id": "pad_windows_high_count_special_privilege_use_events", + "id": "pad_windows_high_count_special_privilege_use_events_ea", "config": { "groups": [ "security", @@ -135,7 +139,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.PrivilegeList", "process.name" @@ -151,7 +159,7 @@ } }, { - "id": "pad_windows_high_count_group_management_events", + "id": "pad_windows_high_count_group_management_events_ea", "config": { "groups": [ "security", @@ -172,7 +180,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "event.action", "winlog.event_data.SubjectUserName", "group.name", "winlog.event_data.TargetUserName" @@ -188,7 +200,7 @@ } }, { - "id": "pad_windows_high_count_user_account_management_events", + "id": "pad_windows_high_count_user_account_management_events_ea", "config": { "groups": [ "security", @@ -209,7 +221,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.TargetUserName" ] @@ -224,7 +240,7 @@ } }, { - "id": "pad_windows_rare_privilege_assigned_to_user", + "id": "pad_windows_rare_privilege_assigned_to_user_ea", "config": { "groups": [ "security", @@ -245,7 +261,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "privilege_type", "event.action" ] @@ -260,7 +279,7 @@ } }, { - "id": "pad_windows_rare_group_name_by_user", + "id": "pad_windows_rare_group_name_by_user_ea", "config": { "groups": [ "security", @@ -281,7 +300,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "group.name", "winlog.event_data.TargetUserName", "event.action" @@ -297,7 +319,7 @@ } }, { - "id": "pad_windows_rare_device_by_user", + "id": "pad_windows_rare_device_by_user_ea", "config": { "groups": [ "security", @@ -318,7 +340,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "group.name", "winlog.event_data.PrivilegeList", "event.action" @@ -334,7 +359,7 @@ } }, { - "id": "pad_windows_rare_source_ip_by_user", + "id": "pad_windows_rare_source_ip_by_user_ea", "config": { "groups": [ "security", @@ -355,7 +380,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "source.ip", "winlog.event_data.PrivilegeList", "event.action" @@ -371,7 +399,7 @@ } }, { - "id": "pad_windows_rare_region_name_by_user", + "id": "pad_windows_rare_region_name_by_user_ea", "config": { "groups": [ "security", @@ -392,7 +420,11 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", + "source.geo.region_name", "source.geo.city_name", "source.geo.country_name", "winlog.event_data.PrivilegeList", @@ -409,7 +441,7 @@ } }, { - "id": "pad_linux_high_count_privileged_process_events_by_user", + "id": "pad_linux_high_count_privileged_process_events_by_user_ea", "config": { "groups": [ "security", @@ -429,7 +461,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name", "process.command_line" ] @@ -444,7 +479,7 @@ } }, { - "id": "pad_linux_rare_process_executed_by_user", + "id": "pad_linux_rare_process_executed_by_user_ea", "config": { "groups": [ "security", @@ -465,7 +500,10 @@ ], "influencers": [ "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.name" ] }, @@ -479,7 +517,7 @@ } }, { - "id": "pad_linux_high_median_process_command_line_entropy_by_user", + "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", "config": { "groups": [ "security", @@ -500,8 +538,12 @@ ], "influencers": [ "host.name", + "host.id", "user.name", - "process.command_line" + "event.module", + "user.id", + "process.command_line", + "process.command_line_entropy" ] }, "data_description": { @@ -514,7 +556,7 @@ } }, { - "id": "pad_okta_spike_in_group_membership_changes", + "id": "pad_okta_spike_in_group_membership_changes_ea", "config": { "groups": [ "security", @@ -529,13 +571,17 @@ "detector_description": "High count of group membership okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", - "source.user.name", + "user.name", + "user.email", + "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name" @@ -551,7 +597,7 @@ } }, { - "id": "pad_okta_spike_in_user_lifecycle_management_changes", + "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", "config": { "groups": [ "security", @@ -566,13 +612,17 @@ "detector_description": "High count of user lifecycle management okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", - "source.user.name", + "user.name", + "user.email", + "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name" @@ -588,7 +638,7 @@ } }, { - "id": "pad_okta_spike_in_group_privilege_changes", + "id": "pad_okta_spike_in_group_privilege_changes_ea", "config": { "groups": [ "security", @@ -603,13 +653,17 @@ "detector_description": "High count of group privilege okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", - "source.user.name", + "user.name", + "user.email", + "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name", @@ -627,7 +681,7 @@ } }, { - "id": "pad_okta_spike_in_group_application_assignment_changes", + "id": "pad_okta_spike_in_group_application_assignment_changes_ea", "config": { "groups": [ "security", @@ -642,13 +696,17 @@ "detector_description": "High count of group application assignment okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", - "source.user.name", + "user.name", + "user.email", + "event.module", + "okta.event_type", "source.user.full_name", "user.target.group.name" ] @@ -663,7 +721,7 @@ } }, { - "id": "pad_okta_spike_in_group_lifecycle_changes", + "id": "pad_okta_spike_in_group_lifecycle_changes_ea", "config": { "groups": [ "security", @@ -678,13 +736,17 @@ "detector_description": "High count of group lifecycle okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", - "source.user.name", + "user.name", + "user.email", + "event.module", + "okta.event_type", "source.user.full_name", "user.target.group.name" ] @@ -699,7 +761,7 @@ } }, { - "id": "pad_okta_high_sum_concurrent_sessions_by_user", + "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", "config": { "groups": [ "security", @@ -714,14 +776,18 @@ "detector_description": "High sum of distinct source ips by user name", "function": "high_sum", "field_name": "okta_distinct_ips", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ - "source.user.name", + "user.name", + "user.email", + "event.module", + "host.name", "agent.name", - "source.user.full_name" + "source.user.full_name", + "okta_distinct_ips" ] }, "data_description": { @@ -734,7 +800,7 @@ } }, { - "id": "pad_okta_rare_source_ip_by_user", + "id": "pad_okta_rare_source_ip_by_user_ea", "config": { "groups": [ "security", @@ -749,12 +815,16 @@ "detector_description": "Rare source ip by user name", "function": "rare", "by_field_name": "source.ip", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", + "user.name", + "user.email", + "source.ip", "source.user.full_name", "user.target.group.name", "okta.event_type" @@ -770,7 +840,7 @@ } }, { - "id": "pad_okta_rare_region_name_by_user", + "id": "pad_okta_rare_region_name_by_user_ea", "config": { "groups": [ "security", @@ -785,12 +855,16 @@ "detector_description": "Rare region name by user name", "function": "rare", "by_field_name": "client.geo.region_name", - "partition_field_name": "source.user.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", + "user.name", + "user.email", + "client.geo.region_name", "source.user.full_name", "user.target.group.name", "okta.event_type", @@ -807,7 +881,7 @@ } }, { - "id": "pad_okta_rare_host_name_by_user", + "id": "pad_okta_rare_host_name_by_user_ea", "config": { "groups": [ "security", @@ -821,13 +895,16 @@ { "detector_description": "Rare host name by user name", "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "source.user.name", + "by_field_name": "host.name", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "host.name", "agent.name", + "user.name", + "user.email", "source.user.full_name", "user.target.group.name", "okta.event_type" @@ -845,13 +922,13 @@ ], "datafeeds": [ { - "id": "datafeed-pad_windows_high_count_special_logon_events", - "job_id": "pad_windows_high_count_special_logon_events", + "id": "datafeed-pad_windows_high_count_special_logon_events_ea", + "job_id": "pad_windows_high_count_special_logon_events_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_high_count_special_logon_events", + "job_id": "pad_windows_high_count_special_logon_events_ea", "query": { "bool": { "filter": [ @@ -902,13 +979,13 @@ } }, { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events", - "job_id": "pad_windows_high_count_special_privilege_use_events", + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_high_count_special_privilege_use_events", + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", "query": { "bool": { "filter": [ @@ -959,13 +1036,13 @@ } }, { - "id": "datafeed-pad_windows_high_count_group_management_events", - "job_id": "pad_windows_high_count_group_management_events", + "id": "datafeed-pad_windows_high_count_group_management_events_ea", + "job_id": "pad_windows_high_count_group_management_events_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_high_count_group_management_events", + "job_id": "pad_windows_high_count_group_management_events_ea", "query": { "bool": { "filter": [ @@ -1019,13 +1096,13 @@ } }, { - "id": "datafeed-pad_windows_high_count_user_account_management_events", - "job_id": "pad_windows_high_count_user_account_management_events", + "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", + "job_id": "pad_windows_high_count_user_account_management_events_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_high_count_user_account_management_events", + "job_id": "pad_windows_high_count_user_account_management_events_ea", "query": { "bool": { "filter": [ @@ -1080,13 +1157,13 @@ } }, { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user", - "job_id": "pad_windows_rare_privilege_assigned_to_user", + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_rare_privilege_assigned_to_user", + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", "query": { "bool": { "filter": [ @@ -1101,13 +1178,13 @@ } }, { - "id": "datafeed-pad_windows_rare_group_name_by_user", - "job_id": "pad_windows_rare_group_name_by_user", + "id": "datafeed-pad_windows_rare_group_name_by_user_ea", + "job_id": "pad_windows_rare_group_name_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_rare_group_name_by_user", + "job_id": "pad_windows_rare_group_name_by_user_ea", "query": { "bool": { "filter": [ @@ -1161,13 +1238,13 @@ } }, { - "id": "datafeed-pad_windows_rare_device_by_user", - "job_id": "pad_windows_rare_device_by_user", + "id": "datafeed-pad_windows_rare_device_by_user_ea", + "job_id": "pad_windows_rare_device_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_rare_device_by_user", + "job_id": "pad_windows_rare_device_by_user_ea", "query": { "bool": { "filter": [ @@ -1250,13 +1327,13 @@ } }, { - "id": "datafeed-pad_windows_rare_source_ip_by_user", - "job_id": "pad_windows_rare_source_ip_by_user", + "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", + "job_id": "pad_windows_rare_source_ip_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_rare_source_ip_by_user", + "job_id": "pad_windows_rare_source_ip_by_user_ea", "query": { "bool": { "filter": [ @@ -1339,13 +1416,13 @@ } }, { - "id": "datafeed-pad_windows_rare_region_name_by_user", - "job_id": "pad_windows_rare_region_name_by_user", + "id": "datafeed-pad_windows_rare_region_name_by_user_ea", + "job_id": "pad_windows_rare_region_name_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_windows_rare_region_name_by_user", + "job_id": "pad_windows_rare_region_name_by_user_ea", "query": { "bool": { "filter": [ @@ -1428,13 +1505,13 @@ } }, { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user", - "job_id": "pad_linux_high_count_privileged_process_events_by_user", + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", "query": { "bool": { "must": [ @@ -1638,13 +1715,13 @@ } }, { - "id": "datafeed-pad_linux_rare_process_executed_by_user", - "job_id": "pad_linux_rare_process_executed_by_user", + "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", + "job_id": "pad_linux_rare_process_executed_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_linux_rare_process_executed_by_user", + "job_id": "pad_linux_rare_process_executed_by_user_ea", "query": { "bool": { "must": [ @@ -1848,13 +1925,13 @@ } }, { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", "query": { "bool": { "must": [ @@ -2058,13 +2135,13 @@ } }, { - "id": "datafeed-pad_okta_spike_in_group_membership_changes", - "job_id": "pad_okta_spike_in_group_membership_changes", + "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_spike_in_group_membership_changes", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", "query": { "bool": { "filter": [ @@ -2084,13 +2161,13 @@ } }, { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", "query": { "bool": { "filter": [ @@ -2117,13 +2194,13 @@ } }, { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes", - "job_id": "pad_okta_spike_in_group_privilege_changes", + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_spike_in_group_privilege_changes", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", "query": { "bool": { "filter": [ @@ -2143,13 +2220,13 @@ } }, { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes", - "job_id": "pad_okta_spike_in_group_application_assignment_changes", + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", "query": { "bool": { "filter": [ @@ -2169,13 +2246,13 @@ } }, { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes", - "job_id": "pad_okta_spike_in_group_lifecycle_changes", + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", "query": { "bool": { "filter": [ @@ -2195,19 +2272,19 @@ } }, { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", "query": { "bool": { "filter": [ { "exists": { - "field": "source.user.name" + "field": "user.name" } }, { @@ -2240,13 +2317,13 @@ } }, { - "id": "datafeed-pad_okta_rare_source_ip_by_user", - "job_id": "pad_okta_rare_source_ip_by_user", + "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", + "job_id": "pad_okta_rare_source_ip_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_rare_source_ip_by_user", + "job_id": "pad_okta_rare_source_ip_by_user_ea", "query": { "bool": { "filter": [ @@ -2285,13 +2362,13 @@ } }, { - "id": "datafeed-pad_okta_rare_region_name_by_user", - "job_id": "pad_okta_rare_region_name_by_user", + "id": "datafeed-pad_okta_rare_region_name_by_user_ea", + "job_id": "pad_okta_rare_region_name_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_rare_region_name_by_user", + "job_id": "pad_okta_rare_region_name_by_user_ea", "query": { "bool": { "filter": [ @@ -2330,13 +2407,13 @@ } }, { - "id": "datafeed-pad_okta_rare_host_name_by_user", - "job_id": "pad_okta_rare_host_name_by_user", + "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + "job_id": "pad_okta_rare_host_name_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "pad_okta_rare_host_name_by_user", + "job_id": "pad_okta_rare_host_name_by_user_ea", "query": { "bool": { "filter": [ @@ -2347,7 +2424,7 @@ }, { "exists": { - "field": "agent.name" + "field": "host.name" } }, { diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml index a71f93f3bdf..156ff2404bf 100644 --- a/packages/pad/manifest.yml +++ b/packages/pad/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: pad title: "Privileged Access Detection" -version: 1.1.2 +version: 2.0.0 source: license: "Elastic-2.0" description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs" @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index 6b570308034..5290c6c7856 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs. + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.6" changes: - description: Update documentation for blogs diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index be8ea727960..9ca1920c936 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -13,7 +13,7 @@ The following blogs and webinar provide additional context. For the most current - [Webinar: ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack](https://www.elastic.co/webinars/problemchild) ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Living off the Land Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Living off the Land Detection assets**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: @@ -119,7 +119,9 @@ The following blogs and webinar provide additional context. For the most current ``` 1. **(Optional) [Create a data view](https://www.elastic.co/guide/en/kibana/current/data-views.html) specificially for your windows process logs (index pattern or data stream name)** 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see `Living off the Land Attack Detection`. When you select the card, you will see several pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. -1. **Enable detection rules**: You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Living off the Land Attack Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. +### Enable detection rules + +You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Living off the Land Attack Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. ![Domain Generation Detection Detection Rules](../img/lotlrules.png) *In **Security > Rules**, filtering with the “Use Case: Living off the Land Attack Detection” tag* @@ -128,14 +130,14 @@ The following blogs and webinar provide additional context. For the most current Detects potential LotL activity by identifying malicious processes. -| Job | Description | -|---|---| -| problem_child_rare_process_by_host | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | -| problem_child_high_sum_by_host | Looks for a set of one or more malicious child processes on a single host. | -| problem_child_rare_process_by_user | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | -| problem_child_rare_process_by_parent | Looks for rare malicious child processes spawned by a parent process. | -| problem_child_high_sum_by_user | Looks for a set of one or more malicious processes, started by the same user. | -| problem_child_high_sum_by_parent | Looks for a set of one or more malicious child processes spawned by the same parent process. | +| Job | Description | Supported Platform | Event Category | +|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|----------------| +| problem_child_rare_process_by_host_ea | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | Windows | process | +| problem_child_high_sum_by_host_ea | Looks for a set of one or more malicious child processes on a single host. | Windows | process | +| problem_child_rare_process_by_user_ea | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | Windows | process | +| problem_child_rare_process_by_parent_ea | Looks for rare malicious child processes spawned by a parent process. | Windows | process | +| problem_child_high_sum_by_user_ea | Looks for a set of one or more malicious processes, started by the same user. | Windows | process | +| problem_child_high_sum_by_parent_ea | Looks for a set of one or more malicious child processes spawned by the same parent process. | Windows | process | ## Customize ML jobs for Living off the Land Attack Detection @@ -154,6 +156,32 @@ To customize the datafeed query and other settings such as model memory limit, f ![Living off the Land Attack Detection jobs](../img/problemchild_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. + +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New detection rules are also included. +- Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. + +The new Entity Analytics ML job IDs are: +- `problem_child_rare_process_by_host_ea` +- `problem_child_high_sum_by_host_ea` +- `problem_child_rare_process_by_user_ea` +- `problem_child_rare_process_by_parent_ea` +- `problem_child_high_sum_by_user_ea` +- `problem_child_high_sum_by_parent_ea` + +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `problem_child_rare_process_by_host` + - `problem_child_high_sum_by_host` + - `problem_child_rare_process_by_user` + - `problem_child_rare_process_by_parent` + - `problem_child_high_sum_by_user` + - `problem_child_high_sum_by_parent` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to LotL Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml index 4ec4ba8a1dc..dfb7baa713b 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml @@ -394,7 +394,7 @@ processors: lang: painless source: ctx.entrySet().removeIf(field -> field.getKey() =~ /feature_.*/);ctx['problemchild'].remove('prediction_score');ctx['problemchild'].remove('model_id'); on_failure: - - append: + - set: field: event.kind value: pipeline_error - append: diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml index 8aafe21a93d..e5d59f9c221 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml @@ -5,7 +5,7 @@ processors: if: ctx.event?.kind == 'event' && ctx.event?.category?.contains('process') && (ctx.host?.os?.type?.toLowerCase() == 'windows' || ctx.host?.os?.family?.toLowerCase() == 'windows' || ctx.host?.os?.platform?.toLowerCase() == 'windows') name: '{{ IngestPipeline "problem_child_inference_pipeline" }}' on_failure: - - append: + - set: field: event.kind value: pipeline_error - append: diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index f78cd91dcb6..111fefc2d5f 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -34,7 +34,7 @@ }, "jobs": [ { - "id": "problem_child_rare_process_by_host", + "id": "problem_child_rare_process_by_host_ea", "config": { "groups": [ "living_off_the_land", @@ -55,7 +55,10 @@ "influencers": [ "process.name", "host.name", + "host.id", "user.name", + "event.module", + "user.id", "process.command_line" ] }, @@ -69,7 +72,7 @@ } }, { - "id": "problem_child_high_sum_by_host", + "id": "problem_child_high_sum_by_host_ea", "config": { "groups": [ "living_off_the_land", @@ -97,8 +100,12 @@ "influencers": [ "process.name", "host.name", + "host.id", "user.name", - "process.command_line" + "event.module", + "user.id", + "process.command_line", + "blocklist_label" ] }, "data_description": { @@ -111,7 +118,7 @@ } }, { - "id": "problem_child_rare_process_by_user", + "id": "problem_child_rare_process_by_user_ea", "config": { "groups": [ "living_off_the_land", @@ -132,7 +139,10 @@ "influencers": [ "process.name", "user.name", + "event.module", + "user.id", "host.name", + "host.id", "process.command_line" ] }, @@ -146,7 +156,7 @@ } }, { - "id": "problem_child_rare_process_by_parent", + "id": "problem_child_rare_process_by_parent_ea", "config": { "groups": [ "living_off_the_land", @@ -169,7 +179,10 @@ "process.parent.name", "process.command_line", "host.name", - "user.name" + "host.id", + "user.name", + "event.module", + "user.id" ] }, "data_description": { @@ -182,7 +195,7 @@ } }, { - "id": "problem_child_high_sum_by_user", + "id": "problem_child_high_sum_by_user_ea", "config": { "groups": [ "living_off_the_land", @@ -210,8 +223,12 @@ "influencers": [ "process.name", "user.name", + "event.module", + "user.id", "host.name", - "process.command_line" + "host.id", + "process.command_line", + "blocklist_label" ] }, "data_description": { @@ -224,7 +241,7 @@ } }, { - "id": "problem_child_high_sum_by_parent", + "id": "problem_child_high_sum_by_parent_ea", "config": { "groups": [ "living_off_the_land", @@ -254,7 +271,11 @@ "process.parent.name", "process.command_line", "host.name", - "user.name" + "host.id", + "user.name", + "event.module", + "user.id", + "blocklist_label" ] }, "data_description": { @@ -269,13 +290,13 @@ ], "datafeeds": [ { - "id": "datafeed-problem_child_rare_process_by_host", - "job_id": "problem_child_rare_process_by_host", + "id": "datafeed-problem_child_rare_process_by_host_ea", + "job_id": "problem_child_rare_process_by_host_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_rare_process_by_host", + "job_id": "problem_child_rare_process_by_host_ea", "query": { "bool": { "minimum_should_match": 1, @@ -316,13 +337,13 @@ } }, { - "id": "datafeed-problem_child_high_sum_by_host", - "job_id": "problem_child_high_sum_by_host", + "id": "datafeed-problem_child_high_sum_by_host_ea", + "job_id": "problem_child_high_sum_by_host_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_high_sum_by_host", + "job_id": "problem_child_high_sum_by_host_ea", "query": { "bool": { "minimum_should_match": 1, @@ -363,13 +384,13 @@ } }, { - "id": "datafeed-problem_child_rare_process_by_user", - "job_id": "problem_child_rare_process_by_user", + "id": "datafeed-problem_child_rare_process_by_user_ea", + "job_id": "problem_child_rare_process_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_rare_process_by_user", + "job_id": "problem_child_rare_process_by_user_ea", "query": { "bool": { "minimum_should_match": 1, @@ -410,13 +431,13 @@ } }, { - "id": "datafeed-problem_child_rare_process_by_parent", - "job_id": "problem_child_rare_process_by_parent", + "id": "datafeed-problem_child_rare_process_by_parent_ea", + "job_id": "problem_child_rare_process_by_parent_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_rare_process_by_parent", + "job_id": "problem_child_rare_process_by_parent_ea", "query": { "bool": { "minimum_should_match": 1, @@ -457,13 +478,13 @@ } }, { - "id": "datafeed-problem_child_high_sum_by_user", - "job_id": "problem_child_high_sum_by_user", + "id": "datafeed-problem_child_high_sum_by_user_ea", + "job_id": "problem_child_high_sum_by_user_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_high_sum_by_user", + "job_id": "problem_child_high_sum_by_user_ea", "query": { "bool": { "minimum_should_match": 1, @@ -504,13 +525,13 @@ } }, { - "id": "datafeed-problem_child_high_sum_by_parent", - "job_id": "problem_child_high_sum_by_parent", + "id": "datafeed-problem_child_high_sum_by_parent_ea", + "job_id": "problem_child_high_sum_by_parent_ea", "config": { "indices": [ "INDEX_PATTERN_NAME" ], - "job_id": "problem_child_high_sum_by_parent", + "job_id": "problem_child_high_sum_by_parent_ea", "query": { "bool": { "minimum_should_match": 1, @@ -558,4 +579,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index 02b71b9b57f..28e9995a702 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: problemchild title: "Living off the Land Attack Detection" -version: 2.4.6 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription." @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: