From 7c853a90ab091200f306f4d8ef40be5a4c1265fc Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 2 Mar 2026 15:47:48 -0600 Subject: [PATCH 01/44] Add EUIDs --- packages/ded/changelog.yml | 5 + packages/ded/docs/README.md | 51 +- .../fields/fields.yml | 10 +- .../transform.yml | 20 +- ...-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json | 2 +- packages/ded/kibana/ml_module/ded-ml.json | 1134 ++-- packages/ded/manifest.yml | 4 +- packages/dga/changelog.yml | 5 + packages/dga/docs/README.md | 15 +- packages/dga/kibana/ml_module/dga-ml.json | 221 +- packages/dga/manifest.yml | 4 +- packages/lmd/changelog.yml | 5 + packages/lmd/docs/README.md | 59 +- .../fields/fields.yml | 8 +- .../transform.yml | 14 +- ...-17fea180-8c4c-11ed-bb03-41a73f349362.json | 2 +- packages/lmd/kibana/ml_module/lmd-ml.json | 1824 +++---- packages/lmd/manifest.yml | 4 +- packages/pad/changelog.yml | 5 + packages/pad/docs/README.md | 93 +- .../fields/fields.yml | 6 +- .../transform.yml | 13 +- .../fields/fields.yml | 8 +- .../transform.yml | 18 +- ...-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json | 4 +- ...-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json | 4 +- ...-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json | 4 +- packages/pad/kibana/ml_module/pad-ml.json | 4728 +++++++++-------- packages/pad/manifest.yml | 4 +- packages/problemchild/changelog.yml | 5 + packages/problemchild/docs/README.md | 30 +- .../kibana/ml_module/problemchild-ml.json | 1150 ++-- packages/problemchild/manifest.yml | 4 +- 33 files changed, 4991 insertions(+), 4472 deletions(-) rename packages/ded/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/fields/fields.yml (80%) rename packages/ded/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/transform.yml (88%) rename packages/lmd/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/fields/fields.yml (78%) rename packages/lmd/elasticsearch/transform/{pivot_transform => pivot_transform_euid}/transform.yml (91%) rename packages/pad/elasticsearch/transform/{pivot_transform_okta_multiple_sessions => pivot_transform_okta_sessions_euid}/fields/fields.yml (77%) rename packages/pad/elasticsearch/transform/{pivot_transform_okta_multiple_sessions => pivot_transform_okta_sessions_euid}/transform.yml (84%) rename packages/pad/elasticsearch/transform/{pivot_transform_windows_privilege_list => pivot_transform_win_privilege_list_euid}/fields/fields.yml (65%) rename packages/pad/elasticsearch/transform/{pivot_transform_windows_privilege_list => pivot_transform_win_privilege_list_euid}/transform.yml (83%) diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index c93ff173b61..8563196b5b1 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,3 +1,8 @@ +- version: "3.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.4.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 47c3892e08a..046c68cbfbf 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -10,15 +10,15 @@ For more detailed information refer to the following blog: - [Detect data exfiltration activity with Kibana’s new integration](https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration) ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Data Exfiltration Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Data Exfiltration Detection assets**. -1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. -1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded_euid-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform_euid-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. +1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded_euid.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded_euid.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded_euid.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. @@ -42,18 +42,18 @@ To inspect the installed assets, you can navigate to **Stack Management > Data > | Transform name | Purpose | Source index | Destination index | Alias | | ------------------- | ------------------------------------------- | ------------ | ------------------------ | ------------------ | -| ded.pivot_transform | Collects network logs from your environment | logs-* | ml_network_ded-[version] | ml_network_ded.all | +| ded.pivot_transform_euid | Collects network logs from your environment | logs-* | ml_network_ded_euid-[version] | ml_network_ded_euid.all | **Note**: The transform applies only to network data and does not currently support macOS network logs. -When querying the destination index (`ml_network_ded-`) for network logs, we advise using the alias for the destination index (`ml_network_ded.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination index (`ml_network_ded_euid-`) for network logs, we advise using the alias for the destination index (`ml_network_ded_euid.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Data Exfiltration Detection Transform To customize filters in the Data Exfiltration Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `source.ip`, `destination.ip`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Data Exfiltration Detection transform](../img/ded_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform_euid-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Data Exfiltration Detection transform](../img/ded_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -71,13 +71,13 @@ After the data view for the dashboard is configured, the **Data Exfiltration Det | Job | Description | Supported Platform | Event Category | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------ | ----- | -| ded_high_sent_bytes_destination_geo_country_iso_code | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | -| ded_high_sent_bytes_destination_ip | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | -| ded_high_sent_bytes_destination_port | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | -| ded_high_sent_bytes_destination_region_name | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | -| ded_high_bytes_written_to_external_device | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | -| ded_rare_process_writing_to_external_device | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | -| ded_high_bytes_written_to_external_device_airdrop | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | +| ded_high_sent_bytes_destination_geo_country_iso_code_euid | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | +| ded_high_sent_bytes_destination_ip_euid | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | +| ded_high_sent_bytes_destination_port_euid | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | +| ded_high_sent_bytes_destination_region_name_euid | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | +| ded_high_bytes_written_to_external_device_euid | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | +| ded_rare_process_writing_to_external_device_euid | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | +| ded_high_bytes_written_to_external_device_airdrop_euid | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | ## Customize ML jobs for Data Exfiltration Detection @@ -96,6 +96,27 @@ To customize the datafeed query and other settings such as model memory limit, f ![Data Exfiltration Detection jobs](../img/ded_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. + +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new EUID ML job IDs are: +- `ded_high_sent_bytes_destination_geo_country_iso_code_euid` +- `ded_high_sent_bytes_destination_ip_euid` +- `ded_high_sent_bytes_destination_port_euid` +- `ded_high_sent_bytes_destination_region_name_euid` +- `ded_high_bytes_written_to_external_device_euid` +- `ded_rare_process_writing_to_external_device_euid` +- `ded_high_bytes_written_to_external_device_airdrop_euid` + +The new EUID transforms are: +- `ded.pivot_transform_euid` → destination index: `ml_network_ded_euid-3.0.0`, alias: `ml_network_ded_euid.latest`, `ml_network_ded_euid.all` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Data Exfiltration Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml similarity index 80% rename from packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml index 7a22b3eef3a..ccbb38276e7 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml @@ -1,7 +1,7 @@ -- external: ecs - name: host.name -- external: ecs - name: user.name +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword - external: ecs name: event.category - external: ecs @@ -27,4 +27,4 @@ - external: ecs name: destination.geo.region_name - external: ecs - name: destination.geo.city_name + name: destination.geo.city_name \ No newline at end of file diff --git a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml similarity index 88% rename from packages/ded/elasticsearch/transform/pivot_transform/transform.yml rename to packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml index f4a2aa81aa8..3cf9b69c8b5 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml @@ -1,12 +1,12 @@ dest: - index: ml_network_ded-2.4.1 + index: ml_network_ded_euid-3.0.0 aliases: - - alias: ml_network_ded.latest + - alias: ml_network_ded_euid.latest move_on_creation: true - - alias: ml_network_ded.all + - alias: ml_network_ded_euid.all move_on_creation: false - pipeline: 2.4.1-ml_ded_ingest_pipeline + pipeline: 3.0.0-ml_ded_ingest_pipeline description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime. frequency: 30m pivot: @@ -18,12 +18,14 @@ pivot: avg: field: source.bytes group_by: - 'host.name': + 'host.entity.id_computed': terms: - field: host.name - 'user.name': + script: + id: euid_host_entity + 'user.entity.id_computed': terms: - field: user.name + script: + id: euid_user_entity 'network.direction': terms: field: network.direction @@ -94,5 +96,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 2.4.1 + fleet_transform_version: 3.0.0 run_as_kibana_system: false diff --git a/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json b/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json index b9b848de667..6c5cdc8abb2 100644 --- a/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json +++ b/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json @@ -3,7 +3,7 @@ "description": "This dashboard provides an overview of anomalies found for Data Exfiltration Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"high-sent-bytes-destination-geo-country_iso_code\\\" or job_id: \\\"high-bytes-written-to-external-device-airdrop\\\" or job_id: \\\"high-bytes-written-to-external-device\\\" or job_id: \\\"rare-process-writing-to-external-device\\\" or job_id: \\\"high-sent-bytes-destination-ip\\\" or job_id : \\\"high-sent-bytes-destination-port\\\" or job_id: \\\"high-sent-bytes-destination-region_name\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"ded_high_sent_bytes_destination_geo_country_iso_code_euid\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_airdrop_euid\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_euid\\\" or job_id: \\\"ded_rare_process_writing_to_external_device_euid\\\" or job_id: \\\"ded_high_sent_bytes_destination_ip_euid\\\" or job_id : \\\"ded_high_sent_bytes_destination_port_euid\\\" or job_id: \\\"ded_high_sent_bytes_destination_region_name_euid\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" }, "optionsJSON": { "hidePanelTitles": false, diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index 87abed1e946..505d120e980 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -1,565 +1,601 @@ { - "attributes": { - "id": "ded-ml", - "title": "Data Exfiltration Detection", - "description": "Detects data exfiltration activity in your network and file data.", - "type": "ded", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "ded-ml", + "title": "Data Exfiltration Detection", + "description": "Detects data exfiltration activity in your network and file data.", + "type": "ded", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination" + } } + ] } - }, - "jobs": [ - { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual country iso code", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.country_iso_code", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.continent_name", - "destination.geo.country_name", - "destination.geo.country_iso_code" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_ip", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by IP address).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual IP address", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_port", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual destination port.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual destination port", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.port", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.port" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_region_name", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by region name).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual region", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.region_name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.city_name", - "destination.geo.region_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_rare_process_writing_to_external_device", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process writing to an external device", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_airdrop", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device using Airdrop", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name", - "file.path", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual country iso code", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.country_iso_code", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.country_iso_code" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by IP address).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual IP address", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual destination port.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual destination port", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.port", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.port" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by region name).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual region", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.region_name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.city_name", + "destination.geo.region_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process writing to an external device", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device using Airdrop", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_ip_euid", + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_ip", - "job_id": "ded_high_sent_bytes_destination_ip", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_ip", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_port_euid", + "job_id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_port_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_port", - "job_id": "ded_high_sent_bytes_destination_port", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_port", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_region_name_euid", + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_region_name", - "job_id": "ded_high_sent_bytes_destination_region_name", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_region_name", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_euid", + "job_id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device", - "job_id": "ded_high_bytes_written_to_external_device", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_rare_process_writing_to_external_device_euid", + "job_id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_rare_process_writing_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_rare_process_writing_to_external_device", - "job_id": "ded_rare_process_writing_to_external_device", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_rare_process_writing_to_external_device", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_euid", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "process.name": "sharingd" + } + }, + { + "term": { + "host.os.type": "macos" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop", - "job_id": "ded_high_bytes_written_to_external_device_airdrop", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "process.name": "sharingd" - } - }, - { - "term": { - "host.os.type": "macos" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "ded-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + } + } + } + ] + }, + "id": "ded-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/ded/manifest.yml b/packages/ded/manifest.yml index 2e83c8b7bae..eb740a5c3ff 100644 --- a/packages/ded/manifest.yml +++ b/packages/ded/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: ded title: "Data Exfiltration Detection" -version: 2.4.1 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML package to detect data exfiltration in your network and file data." @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.10.1 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index 2d79a5cf85c..82fe8edd8a5 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.3.5" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index e4570628b47..c055711ec9b 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -12,7 +12,7 @@ For more detailed information refer to the following blogs: ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Domain Generation Algorithm Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Domain Generation Algorithm Detection assets**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: @@ -86,7 +86,7 @@ For more detailed information refer to the following blogs: | Job | Description | |---|---| -| dga_high_sum_probability | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| +| dga_high_sum_probability_euid | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| ## Customize ML jobs for Domain Generation Algorithm Detection @@ -105,6 +105,17 @@ To customize the datafeed query and other settings such as model memory limit, f ![Domain Generation Algorithm Detection jobs](../img/dga_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. + +- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new EUID-based assets. +- On installation of this version, new ML jobs and rules that utilize EUIDs will be available. +- We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. + +The new EUID ML job IDs are: +- `dga_high_sum_probability_euid` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to DGA Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index d964bfa283c..328d190a608 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -1,114 +1,121 @@ { - "attributes": { - "id": "dga-ml", - "title": "DGA", - "description": "Detect domain generation algorithm (DGA) activity in your network data.", - "type": "DGA", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "dga-ml", + "title": "DGA", + "description": "Detect domain generation algorithm (DGA) activity in your network data.", + "type": "DGA", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "dga_high_sum_probability_euid", + "config": { + "groups": [ + "security", + "dga" + ], + "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high probability of DGA activity", + "detector_index": 0, + "field_name": "ml_is_dga.malicious_probability", + "function": "high_sum", + "over_field_name": "source.ip" + } + ], + "influencers": [ + "source.ip", + "host.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-dga" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-dga_high_sum_probability_euid", + "job_id": "dga_high_sum_probability_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "dga_high_sum_probability_euid", + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } } - } - }, - "jobs": [ - { - "id": "dga_high_sum_probability", - "config": { - "groups": [ - "security", - "dga" - ], - "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "high probability of DGA activity", - "detector_index": 0, - "field_name": "ml_is_dga.malicious_probability", - "function": "high_sum", - "over_field_name": "source.ip" - } - ], - "influencers": [ - "source.ip", - "host.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-dga" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-dga_high_sum_probability", - "job_id": "dga_high_sum_probability", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "dga_high_sum_probability", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } + }, + "script_fields": { + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "dga-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + } + } + } + ] + }, + "id": "dga-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/dga/manifest.yml b/packages/dga/manifest.yml index c7bd748790a..2825f46caff 100644 --- a/packages/dga/manifest.yml +++ b/packages/dga/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.4 name: dga title: "Domain Generation Algorithm Detection" -version: 2.3.5 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML solution package to detect domain generation algorithm (DGA) activity in your network data." @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum screenshots: diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index 3f767ab9931..5da263aa902 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.6.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 5ba5d03ebb5..1ae8da40d45 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -12,14 +12,14 @@ For more detailed information refer to the following blogs: ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Lateral Movement Detection**. Configure the integration name and agent policy. Click **Save and Continue**. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) -1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd_euid`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform_euid-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd_euid`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd_euid`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml-rdp-lmd`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml-rdp-lmd_euid`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Lateral Movement Detection**. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [lmd-ml file](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L10). For example, this would be available in `logs-endpoint.events.*` if you used Elastic Defend to collect events. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. @@ -47,7 +47,7 @@ After the anomaly detectors and the data views for the dashboard are configured, To customize filters in the Lateral Movement Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Lateral Movement Detection transform](../img/lmd_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform_euid-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Lateral Movement Detection transform](../img/lmd_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -126,17 +126,17 @@ Detects potential lateral movement activity by identifying malicious file transf | Job | Description | Supported Platform | |-------------------------------------------------------|-------------------------------------------------------------------------------------------------| --------------------- | -| lmd_high_count_remote_file_transfer | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | -| lmd_high_file_size_remote_file_transfer | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | -| lmd_rare_file_extension_remote_transfer | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | -| lmd_rare_file_path_remote_transfer | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | -| lmd_high_mean_rdp_session_duration | Detects unusually high mean of RDP session duration. | Windows | -| lmd_high_var_rdp_session_duration | Detects unusually high variance in RDP session duration. | Windows | -| lmd_high_sum_rdp_number_of_processes | Detects unusually high number of processes started in a single RDP session. | Windows | -| lmd_unusual_time_weekday_rdp_session_start | Detects an RDP session started at an usual time or weekday. | Windows | -| lmd_high_rdp_distinct_count_source_ip_for_destination | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | -| lmd_high_rdp_distinct_count_destination_ip_for_source | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | -| lmd_high_mean_rdp_process_args | Detects unusually high number of process arguments in an RDP session. | Windows | +| lmd_high_count_remote_file_transfer_euid | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | +| lmd_high_file_size_remote_file_transfer_euid | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | +| lmd_rare_file_extension_remote_transfer_euid | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | +| lmd_rare_file_path_remote_transfer_euid | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | +| lmd_high_mean_rdp_session_duration_euid | Detects unusually high mean of RDP session duration. | Windows | +| lmd_high_var_rdp_session_duration_euid | Detects unusually high variance in RDP session duration. | Windows | +| lmd_high_sum_rdp_number_of_processes_euid | Detects unusually high number of processes started in a single RDP session. | Windows | +| lmd_unusual_time_weekday_rdp_session_start_euid | Detects an RDP session started at an usual time or weekday. | Windows | +| lmd_high_rdp_distinct_count_source_ip_for_destination_euid | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | +| lmd_high_rdp_distinct_count_destination_ip_for_source_euid | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | +| lmd_high_mean_rdp_process_args_euid | Detects unusually high number of process arguments in an RDP session. | Windows | ## Customize ML jobs for Lateral Movement Detection @@ -155,6 +155,31 @@ To customize the datafeed query and other settings such as model memory limit, f ![Lateral Movement Detection jobs](../img/lmd_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. + +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new EUID ML job IDs are: +- `lmd_high_count_remote_file_transfer_euid` +- `lmd_high_file_size_remote_file_transfer_euid` +- `lmd_rare_file_extension_remote_transfer_euid` +- `lmd_rare_file_path_remote_transfer_euid` +- `lmd_high_mean_rdp_session_duration_euid` +- `lmd_high_var_rdp_session_duration_euid` +- `lmd_high_sum_rdp_number_of_processes_euid` +- `lmd_unusual_time_weekday_rdp_session_start_euid` +- `lmd_high_rdp_distinct_count_source_ip_for_destination_euid` +- `lmd_high_rdp_distinct_count_destination_ip_for_source_euid` +- `lmd_high_mean_rdp_process_args_euid` + +The new EUID transforms are: +- `lmd.pivot_transform_euid` → destination index: `ml-rdp-lmd_euid` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Lateral Movement Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml similarity index 78% rename from packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml index b9902f5cfe8..f24fc37d7a5 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml @@ -1,7 +1,7 @@ -- external: ecs - name: host.name -- external: ecs - name: user.name +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword - name: process.Ext.authentication_id type: keyword - external: ecs diff --git a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml similarity index 91% rename from packages/lmd/elasticsearch/transform/pivot_transform/transform.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml index 4ac6268cc9e..fd22cc5e1bd 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml @@ -29,7 +29,7 @@ source: script: source: "if (doc['host.ip'].size() != 0){emit(doc['host.ip'][0]);}" dest: - index: "ml-rdp-lmd" + index: "ml-rdp-lmd_euid" description: This transform runs hourly and collects windows RDP session information for Lateral Movement Detection package. frequency: 1h pivot: @@ -53,15 +53,17 @@ pivot: complete_time: session.complete_time.value script: Math.round((params.complete_time - params.start_time)/1000) group_by: - 'host.name': + 'host.entity.id_computed': terms: - field: host.name + script: + id: euid_host_entity 'destination.ip': terms: field: destination.ip - 'user.name': + 'user.entity.id_computed': terms: - field: user.name + script: + id: euid_user_entity 'source.ip': terms: field: process.Ext.session_info.client_address @@ -77,5 +79,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 2.6.0 + fleet_transform_version: 3.0.0 run_as_kibana_system: false diff --git a/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json b/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json index 8c05acfdad0..d5591c6c2fc 100644 --- a/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json +++ b/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json @@ -3,7 +3,7 @@ "description": "This dashboard provides an overview of anomalies found for Lateral Movement Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"high-count-remote-file-transfer\\\" or job_id:\\\"high-file-size-remote-file-transfer\\\" or job_id:\\\"rare-file-extension-remote-transfer\\\" or job_id :\\\"rare-file-path-remote-transfer\\\" or job_id :\\\"high-mean-rdp-session-duration\\\" or job_id :\\\"high-var-rdp-session-duration\\\" or job_id :\\\"high-sum-rdp-number-of-processes\\\" or job_id :\\\"high-rdp-distinct-count-source-ip-for-destination\\\" or job_id :\\\"high-rdp-distinct-count-destination-ip-for-source\\\" or job_id :\\\"unusual-time-weekday-rdp-session-start\\\" or job_id :\\\"high-mean-rdp-process-args\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"lmd_high_count_remote_file_transfer_euid\\\" or job_id:\\\"lmd_high_file_size_remote_file_transfer_euid\\\" or job_id:\\\"lmd_rare_file_extension_remote_transfer_euid\\\" or job_id :\\\"lmd_rare_file_path_remote_transfer_euid\\\" or job_id :\\\"lmd_high_mean_rdp_session_duration_euid\\\" or job_id :\\\"lmd_high_var_rdp_session_duration_euid\\\" or job_id :\\\"lmd_high_sum_rdp_number_of_processes_euid\\\" or job_id :\\\"lmd_high_rdp_distinct_count_source_ip_for_destination_euid\\\" or job_id :\\\"lmd_high_rdp_distinct_count_destination_ip_for_source_euid\\\" or job_id :\\\"lmd_unusual_time_weekday_rdp_session_start_euid\\\" or job_id :\\\"lmd_high_mean_rdp_process_args_euid\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" }, "optionsJSON": { "hidePanelTitles": false, diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 5cd9f2b19b0..f91e04730ba 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -1,914 +1,962 @@ { - "attributes": { - "id": "lmd-ml", - "title": "Lateral Movement Detection", - "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", - "type": "lmd", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "lmd-ml", + "title": "Lateral Movement Detection", + "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", + "type": "lmd", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "exists": { + "field": "session.start_time" + } } + ] } - }, - "jobs": [ - { - "id": "lmd_high_count_remote_file_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high file transfers to a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", - "function": "high_count", - "by_field_name": "event.action", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_file_size_remote_file_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high size of files shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_extension_remote_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects rare file extensions shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file.extension", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_path_remote_transfer", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusual folders and directories on which a file is transferred.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by file_directory partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file_directory", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "file.path" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_session_duration", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high mean of RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_var_rdp_session_duration", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high variance in RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high file transfers to a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high size of files shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects rare file extensions shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file.extension", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusual folders and directories on which a file is transferred.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by file_directory partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file_directory", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.path" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high mean of RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high variance in RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of processes started in a single RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects an RDP session started at an usual time or weekday.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "time_of_week partitionfield=\"source.ip\"", + "function": "time_of_week", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", + "function": "high_distinct_count", + "field_name": "source.ip", + "partition_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", + "function": "high_distinct_count", + "field_name": "destination.ip", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of process arguments in an RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-lmd_high_count_remote_file_transfer_euid", + "job_id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_count_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_sum_rdp_number_of_processes", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of processes started in a single RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "lmd_unusual_time_weekday_rdp_session_start", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects an RDP session started at an usual time or weekday.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "time_of_week partitionfield=\"source.ip\"", - "function": "time_of_week", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "destination.ip", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_high_file_size_remote_file_transfer_euid", + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", - "function": "high_distinct_count", - "field_name": "source.ip", - "partition_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", - "function": "high_distinct_count", - "field_name": "destination.ip", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_extension_remote_transfer_euid", + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_mean_rdp_process_args", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of process arguments in an RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-lmd_high_count_remote_file_transfer", - "job_id": "lmd_high_count_remote_file_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_count_remote_file_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } - } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-lmd_high_file_size_remote_file_transfer", - "job_id": "lmd_high_file_size_remote_file_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_file_size_remote_file_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_session_duration_euid", + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_rare_file_extension_remote_transfer", - "job_id": "lmd_rare_file_extension_remote_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_extension_remote_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_var_rdp_session_duration_euid", + "job_id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_var_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_session_duration", - "job_id": "lmd_high_mean_rdp_session_duration", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_session_duration", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_euid", + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_var_rdp_session_duration", - "job_id": "lmd_high_var_rdp_session_duration", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_var_rdp_session_duration", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_euid", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes", - "job_id": "lmd_high_sum_rdp_number_of_processes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_sum_rdp_number_of_processes", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start", - "job_id": "lmd_unusual_time_weekday_rdp_session_start", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_process_args_euid", + "job_id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_process_args_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_path_remote_transfer_euid", + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_process_args", - "job_id": "lmd_high_mean_rdp_process_args", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_process_args", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] + } + }, + "runtime_mappings": { + "file_directory": { + "type": "keyword", + "script": { + "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" + } + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-lmd_rare_file_path_remote_transfer", - "job_id": "lmd_rare_file_path_remote_transfer", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_path_remote_transfer", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "runtime_mappings": { - "file_directory": { - "type": "keyword", - "script": { - "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" - } - } - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ] - }, - "id": "lmd-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + } + } + } + ] + }, + "id": "lmd-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/lmd/manifest.yml b/packages/lmd/manifest.yml index a474683c5da..4a4eab02480 100644 --- a/packages/lmd/manifest.yml +++ b/packages/lmd/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: lmd title: "Lateral Movement Detection" -version: 2.6.1 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML package to detect lateral movement based on file transfer activity and Windows RDP events." @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index bd4f7959dd1..9f700ec5db2 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "1.1.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 5ea7bf25871..660cef437b6 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -7,6 +7,7 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and ## Installation +1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Privileged Access Detection**. Configure the integration name and agent policy. Click **Save and Continue**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: - If using Elastic Defend, add a custom pipeline to the data stream. Go to **Stack Management > Ingest Pipelines**, and check if the pipeline `logs-endpoint.events.process@custom` exists. @@ -62,12 +63,12 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and ``` POST INDEX_NAME/_rollover ``` -1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad.all` and `ml_okta_multiple_user_sessions_pad.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_multiple_sessions-default-` and `logs-pad.pivot_transform_windows_privilege_list-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad.all` and `ml_windows_privilege_type_pad.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad_euid.all` and `ml_okta_multiple_user_sessions_pad_euid.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_sessions_euid-default-` and `logs-pad.pivot_transform_win_privilege_list_euid-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad_euid.all` and `ml_windows_privilege_type_pad_euid.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad.all, ml_windows_privilege_type_pad.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad_euid.all, ml_windows_privilege_type_pad_euid.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad.all, ml_windows_privilege_type_pad.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad_euid.all, ml_windows_privilege_type_pad_euid.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Privileged Access Detection**. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [pad-ml file](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json#L10). Additionally, we recommend backdating the datafeed for these anomaly detection jobs to a specific timeframe, as some datafeed queries are resource-intensive and may lead to query delays. We advise you to start the datafeed with 2-3 months' worth of data. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. @@ -89,17 +90,17 @@ To inspect the installed assets, you can navigate to **Stack Management > Data > | Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | |--------------------------------------------|--------------------------------------------------------------------|---------------|------------------------------------------------|--------------------------------------- | ------------------ | -| pad.pivot_transform_okta_multiple_sessions | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad-[version] | ml_okta_multiple_user_sessions_pad.all | Okta | -| pad.pivot_transform_windows_privilege_type | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad-[version] | ml_windows_privilege_type_pad.all | Windows | +| pad.pivot_transform_okta_sessions_euid | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_euid-[version] | ml_okta_multiple_user_sessions_pad_euid.all | Okta | +| pad.pivot_transform_win_privilege_list_euid | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_euid-[version] | ml_windows_privilege_type_pad_euid.all | Windows | -When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad.all` and `ml_windows_privilege_type_pad.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad_euid.all` and `ml_windows_privilege_type_pad_euid.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Privileged Access Detection Transform To customize filters in the Privileged Access Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp` and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Privileged Access Detection transform](../img/pad_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_windows_privilege_list-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_win_privilege_list_euid-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Privileged Access Detection transform](../img/pad_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -113,27 +114,27 @@ To customize filters in the Privileged Access Detection transform, follow the be | Job | Description | Supported Platform | |------------------------------------------------------------|------------------------------------------------------------------------------------------------|----------------------| -| pad_windows_high_count_special_logon_events | Detects unusually high special logon events initiated by a user. | Windows | -| pad_windows_high_count_special_privilege_use_events | Detects unusually high special privilege use events initiated by a user. | Windows | -| pad_windows_high_count_group_management_events | Detects unusually high security group management events initiated by a user. | Windows | -| pad_windows_high_count_user_account_management_events | Detects unusually high security user account management events initiated by a user. | Windows | -| pad_windows_rare_privilege_assigned_to_user | Detects an unusual privilege type assigned to a user. | Windows | -| pad_windows_rare_group_name_by_user | Detects an unusual group name accessed by a user. | Windows | -| pad_windows_rare_device_by_user | Detects an unusual device accessed by a user. | Windows | -| pad_windows_rare_source_ip_by_user | Detects an unusual source IP address accessed by a user. | Windows | -| pad_windows_rare_region_name_by_user | Detects an unusual region name for a user. | Windows | -| pad_linux_high_count_privileged_process_events_by_user | Detects a spike in privileged commands executed by a user. | Linux | -| pad_linux_rare_process_executed_by_user | Detects a rare process executed by a user. | Linux | -| pad_linux_high_median_process_command_line_entropy_by_user | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | -| pad_okta_spike_in_group_membership_changes | Detects spike in group membership change events by a user. | Okta Integration | -| pad_okta_spike_in_user_lifecycle_management_changes | Detects spike in user lifecycle management change events by a user. | Okta Integration | -| pad_okta_spike_in_group_privilege_changes | Detects spike in group privilege change events by a user. | Okta Integration | +| pad_windows_high_count_special_logon_events_euid | Detects unusually high special logon events initiated by a user. | Windows | +| pad_windows_high_count_special_privilege_use_events_euid | Detects unusually high special privilege use events initiated by a user. | Windows | +| pad_windows_high_count_group_management_events_euid | Detects unusually high security group management events initiated by a user. | Windows | +| pad_windows_high_count_user_account_management_events_euid | Detects unusually high security user account management events initiated by a user. | Windows | +| pad_windows_rare_privilege_assigned_to_user_euid | Detects an unusual privilege type assigned to a user. | Windows | +| pad_windows_rare_group_name_by_user_euid | Detects an unusual group name accessed by a user. | Windows | +| pad_windows_rare_device_by_user_euid | Detects an unusual device accessed by a user. | Windows | +| pad_windows_rare_source_ip_by_user_euid | Detects an unusual source IP address accessed by a user. | Windows | +| pad_windows_rare_region_name_by_user_euid | Detects an unusual region name for a user. | Windows | +| pad_linux_high_count_privileged_process_events_by_user_euid | Detects a spike in privileged commands executed by a user. | Linux | +| pad_linux_rare_process_executed_by_user_euid | Detects a rare process executed by a user. | Linux | +| pad_linux_high_median_process_command_line_entropy_by_user_euid | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | +| pad_okta_spike_in_group_membership_changes_euid | Detects spike in group membership change events by a user. | Okta Integration | +| pad_okta_spike_in_user_lifecycle_management_changes_euid | Detects spike in user lifecycle management change events by a user. | Okta Integration | +| pad_okta_spike_in_group_privilege_changes_euid | Detects spike in group privilege change events by a user. | Okta Integration | | pad_okta_spike_in_group_application_assignment_change | Detects spike in group application assignment change events by a user. | Okta Integration | -| pad_okta_spike_in_group_lifecycle_changes | Detects spike in group lifecycle change events by a user. | Okta Integration | -| pad_okta_high_sum_concurrent_sessions_by_user | Detects an unusual sum of active sessions started by a user. | Okta Integration | -| pad_okta_rare_source_ip_by_user | Detects an unusual source IP address accessed by a user. | Okta Integration | -| pad_okta_rare_region_name_by_user | Detects an unusual region name for a user. | Okta Integration | -| pad_okta_rare_host_name_by_user | Detects an unusual host name for a user. | Okta Integration | +| pad_okta_spike_in_group_lifecycle_changes_euid | Detects spike in group lifecycle change events by a user. | Okta Integration | +| pad_okta_high_sum_concurrent_sessions_by_user_euid | Detects an unusual sum of active sessions started by a user. | Okta Integration | +| pad_okta_rare_source_ip_by_user_euid | Detects an unusual source IP address accessed by a user. | Okta Integration | +| pad_okta_rare_region_name_by_user_euid | Detects an unusual region name for a user. | Okta Integration | +| pad_okta_rare_host_name_by_user_euid | Detects an unusual host name for a user. | Okta Integration | ## Customize ML jobs for Privileged Access Detection @@ -152,6 +153,42 @@ To customize the datafeed query and other settings such as model memory limit, f ![Privileged Access Detection jobs](../img/pad_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v2.0.0 and beyond + +v2.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. + +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new EUID ML job IDs are: +- `pad_windows_high_count_special_logon_events_euid` +- `pad_windows_high_count_special_privilege_use_events_euid` +- `pad_windows_high_count_group_management_events_euid` +- `pad_windows_high_count_user_account_management_events_euid` +- `pad_windows_rare_privilege_assigned_to_user_euid` +- `pad_windows_rare_group_name_by_user_euid` +- `pad_windows_rare_device_by_user_euid` +- `pad_windows_rare_source_ip_by_user_euid` +- `pad_windows_rare_region_name_by_user_euid` +- `pad_linux_high_count_privileged_process_events_by_user_euid` +- `pad_linux_rare_process_executed_by_user_euid` +- `pad_linux_high_median_process_command_line_entropy_by_user_euid` +- `pad_okta_spike_in_group_membership_changes_euid` +- `pad_okta_spike_in_user_lifecycle_management_changes_euid` +- `pad_okta_spike_in_group_privilege_changes_euid` +- `pad_okta_spike_in_group_application_assignment_changes_euid` +- `pad_okta_spike_in_group_lifecycle_changes_euid` +- `pad_okta_high_sum_concurrent_sessions_by_user_euid` +- `pad_okta_rare_source_ip_by_user_euid` +- `pad_okta_rare_region_name_by_user_euid` +- `pad_okta_rare_host_name_by_user_euid` + +The new EUID transforms are: +- `pad.pivot_transform_okta_sessions_euid` → destination index: `ml_okta_multiple_user_sessions_pad_euid-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_euid.latest`, `ml_okta_multiple_user_sessions_pad_euid.all` +- `pad.pivot_transform_win_privilege_list_euid` → destination index: `ml_windows_privilege_type_pad_euid-2.0.0`, alias: `ml_windows_privilege_type_pad_euid.latest`, `ml_windows_privilege_type_pad_euid.all` + ## Licensing Usage in production requires that you have a license key that permits use of machine learning features. \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/fields/fields.yml similarity index 77% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/fields/fields.yml index b483e7269cc..94cca0df550 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/fields/fields.yml @@ -1,5 +1,5 @@ -- external: ecs - name: source.user.name +- name: user.entity.id_computed + type: keyword - external: ecs name: source.user.full_name - name: okta_distinct_ips @@ -11,4 +11,4 @@ - external: ecs name: agent.name - external: ecs - name: '@timestamp' + name: '@timestamp' \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/transform.yml similarity index 84% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/transform.yml index 575e9f7c384..f80b52a672c 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_multiple_sessions/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/transform.yml @@ -18,11 +18,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_okta_multiple_user_sessions_pad-1.1.1 + index: ml_okta_multiple_user_sessions_pad_euid-2.0.0 aliases: - - alias: ml_okta_multiple_user_sessions_pad.latest + - alias: ml_okta_multiple_user_sessions_pad_euid.latest move_on_creation: true - - alias: ml_okta_multiple_user_sessions_pad.all + - alias: ml_okta_multiple_user_sessions_pad_euid.all move_on_creation: false description: This transform runs hourly and collects user session information for Okta events for the Privileged Access Detection package. frequency: 1h @@ -39,9 +39,10 @@ pivot: term: 'okta.event_type': "user.session.end" group_by: - 'source.user.name': + 'user.entity.id_computed': terms: - field: source.user.name + script: + id: euid_user_entity 'agent.name': terms: field: agent.name @@ -61,5 +62,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.1 + fleet_transform_version: 2.0.0 run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml similarity index 65% rename from packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml index ca19fa4519a..245b70a0445 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml @@ -1,7 +1,7 @@ -- external: ecs - name: host.name -- external: ecs - name: user.name +- name: user.entity.id_computed + type: keyword +- name: host.entity.id_computed + type: keyword - name: privilege_type type: keyword - external: ecs diff --git a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml similarity index 83% rename from packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml index 00a84c693ea..6b5e4307340 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_windows_privilege_list/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml @@ -20,11 +20,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_windows_privilege_type_pad-1.1.1 + index: ml_windows_privilege_type_pad_euid-2.0.0 aliases: - - alias: ml_windows_privilege_type_pad.latest + - alias: ml_windows_privilege_type_pad_euid.latest move_on_creation: true - - alias: ml_windows_privilege_type_pad.all + - alias: ml_windows_privilege_type_pad_euid.all move_on_creation: false description: This transform runs hourly and collects special privileges assigned to a user in the Windows events for the Privileged Access Detection package. frequency: 1h @@ -34,12 +34,14 @@ pivot: max: field: '@timestamp' group_by: - 'host.name': + 'host.entity.id_computed': terms: - field: host.name - 'user.name': + script: + id: euid_host_entity + 'user.entity.id_computed': terms: - field: user.name + script: + id: euid_user_entity 'privilege_type': terms: field: winlog.event_data.PrivilegeList @@ -61,5 +63,5 @@ sync: delay: 60s field: '@timestamp' _meta: - fleet_transform_version: 1.1.1 + fleet_transform_version: 2.0.0 run_as_kibana_system: false \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json index b65abbbed28..9af181d2b6c 100644 --- a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json +++ b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_euid\\\" or \\\"pad_windows_high_count_special_logon_events_euid\\\" or \\\"pad_windows_high_count_special_privilege_use_events_euid\\\" or \\\"pad_windows_high_count_user_account_management_events_euid\\\" or \\\"pad_windows_rare_device_by_user_euid\\\" or \\\"pad_windows_rare_group_name_by_user_euid\\\" or \\\"pad_windows_rare_source_ip_by_user_euid\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_euid\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_euid\",\"pad_windows_high_count_special_logon_events_euid\",\"pad_windows_high_count_special_privilege_use_events_euid\",\"pad_windows_high_count_user_account_management_events_euid\",\"pad_windows_rare_device_by_user_euid\",\"pad_windows_rare_group_name_by_user_euid\",\"pad_windows_rare_privilege_assigned_to_user_euid\",\"pad_windows_rare_region_name_by_user_euid\",\"pad_windows_rare_source_ip_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Windows]", "version": 1 diff --git a/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json b/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json index 34c7fb74868..df7ffb8e57e 100644 --- a/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json +++ b/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Linux logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user\\\" or \\\"pad_linux_rare_process_executed_by_user\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user_euid\\\" or \\\"pad_linux_rare_process_executed_by_user_euid\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user_euid\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user\",\"pad_linux_high_median_process_command_line_entropy_by_user\",\"pad_linux_rare_process_executed_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_median_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user_euid\",\"pad_linux_high_median_process_command_line_entropy_by_user_euid\",\"pad_linux_rare_process_executed_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_median_process_command_line_entropy_by_user_euid, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Linux]", "version": 1 diff --git a/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json b/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json index de3024fad67..aa78f67bacb 100644 --- a/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json +++ b/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Okta system logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes\\\" or \\\"pad_okta_spike_in_group_privilege_changes\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user\\\" or \\\"pad_okta_rare_source_ip_by_user\\\" or \\\"pad_okta_rare_region_name_by_user\\\" or \\\"pad_okta_rare_host_name_by_user\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes_euid\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes_euid\\\" or \\\"pad_okta_spike_in_group_privilege_changes_euid\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes_euid\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes_euid\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user_euid\\\" or \\\"pad_okta_rare_source_ip_by_user_euid\\\" or \\\"pad_okta_rare_region_name_by_user_euid\\\" or \\\"pad_okta_rare_host_name_by_user_euid\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user\",\"pad_okta_rare_host_name_by_user\",\"pad_okta_rare_region_name_by_user\",\"pad_okta_rare_source_ip_by_user\",\"pad_okta_spike_in_group_application_assignment_changes\",\"pad_okta_spike_in_group_lifecycle_changes\",\"pad_okta_spike_in_group_membership_changes\",\"pad_okta_spike_in_group_privilege_changes\",\"pad_okta_spike_in_user_lifecycle_management_changes\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user, pad_okta_rare_host_name_by_user, pad_okta_rare_region_name_by_user, pad_okta_rare_source_ip_by_user, pad_okta_spike_in_group_application_assignment_changes, pad_okta_spike_in_group_lifecycle_changes, pad_okta_spike_in_group_membership_changes, pad_okta_spike_in_group_privilege_changes, pad_okta_spike_in_user_lifecycle_management_changes\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user_euid\",\"pad_okta_rare_host_name_by_user_euid\",\"pad_okta_rare_region_name_by_user_euid\",\"pad_okta_rare_source_ip_by_user_euid\",\"pad_okta_spike_in_group_application_assignment_changes_euid\",\"pad_okta_spike_in_group_lifecycle_changes_euid\",\"pad_okta_spike_in_group_membership_changes_euid\",\"pad_okta_spike_in_group_privilege_changes_euid\",\"pad_okta_spike_in_user_lifecycle_management_changes_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user_euid, pad_okta_rare_host_name_by_user_euid, pad_okta_rare_region_name_by_user_euid, pad_okta_rare_source_ip_by_user_euid, pad_okta_spike_in_group_application_assignment_changes_euid, pad_okta_spike_in_group_lifecycle_changes_euid, pad_okta_spike_in_group_membership_changes_euid, pad_okta_spike_in_group_privilege_changes_euid, pad_okta_spike_in_user_lifecycle_management_changes_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Okta]", "version": 1 diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index c91ab105138..e7c1f82b14e 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2385 +1,2599 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ] - } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } + }, + { + "exists": { + "field": "winlog.event_id" } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } + } + ] } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + } ] } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } } }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + { + "id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_group_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_group_management_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_user_account_management_events", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_group_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_device_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_device_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_source_ip_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_region_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_rare_process_executed_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_membership_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "source.user.name", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_source_ip_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "source.user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_region_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "agent.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "source.user.name", - "detector_index": 0 + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_euid", + "job_id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } } ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } } - }, - { - "id": "pad_okta_rare_host_name_by_user", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "source.user.name", - "detector_index": 0 + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_euid", + "job_id": "pad_windows_high_count_group_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_euid", + "job_id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_euid", + "job_id": "pad_windows_rare_device_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_euid", + "job_id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } } ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } } } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events", - "job_id": "pad_windows_high_count_special_logon_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events", - "job_id": "pad_windows_high_count_special_privilege_use_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events", - "job_id": "pad_windows_high_count_group_management_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events", - "job_id": "pad_windows_high_count_user_account_management_events", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user", - "job_id": "pad_windows_rare_privilege_assigned_to_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" + ] } - ] + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user", - "job_id": "pad_windows_rare_group_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user", - "job_id": "pad_windows_rare_device_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.user.name" } - ], - "must_not": [ + }, { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, + "exists": { + "field": "okta_distinct_ips" + } + }, { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user", - "job_id": "pad_windows_rare_source_ip_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] + "range": { + "okta_distinct_ips": { + "gte": 2 } } - ], - "must_not": [ + }, { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] + "range": { + "okta_distinct_countries": { + "gte": 2 } - }, + } + }, { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + "term": { + "okta_session_info.has_end_event": 0 + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user", - "job_id": "pad_windows_rare_region_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, + "exists": { + "field": "source.ip" + } + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user", - "job_id": "pad_linux_high_count_privileged_process_events_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user", - "job_id": "pad_linux_rare_process_executed_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes", - "job_id": "pad_okta_spike_in_group_membership_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] - } + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] } - ] - } + } + ] } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } - } - ] + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, + } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_euid", + "job_id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes", - "job_id": "pad_okta_spike_in_group_privilege_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] - } + "term": { + "data_stream.dataset": "okta.system" } - ] - } - } - } - }, + }, { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes", - "job_id": "pad_okta_spike_in_group_application_assignment_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] - } + "exists": { + "field": "client.geo.region_name" } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes", - "job_id": "pad_okta_spike_in_group_lifecycle_changes", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] - } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 - } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } - } - ] } - } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user", - "job_id": "pad_okta_rare_source_ip_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } - } - ] + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } - }, + } + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user_euid", + "job_id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_euid", + "query": { + "bool": { + "filter": [ { - "id": "datafeed-pad_okta_rare_region_name_by_user", - "job_id": "pad_okta_rare_region_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "term": { + "data_stream.dataset": "okta.system" } - ] - } - } - } - }, + }, { - "id": "datafeed-pad_okta_rare_host_name_by_user", - "job_id": "pad_okta_rare_host_name_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] } - ] + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } } } } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + } + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml index 8d39609dc15..156ff2404bf 100644 --- a/packages/pad/manifest.yml +++ b/packages/pad/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: pad title: "Privileged Access Detection" -version: 1.1.1 +version: 2.0.0 source: license: "Elastic-2.0" description: "ML package to detect anomalous privileged access activity in Windows, Linux and Okta logs" @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index 3ca3eb3470d..2d59ce9683e 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.4.5" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index 4dbeb562b1e..e33cbe99861 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -13,7 +13,7 @@ For more detailed information refer to the following blogs and webinar: - [Webinar: ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack](https://www.elastic.co/webinars/problemchild) ## Installation -1. **Upgrading**: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond. +1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Living off the Land Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Living off the Land Detection assets**. 1. **Configure the pipeline**: To configure the pipeline you can use one of the following steps: @@ -130,12 +130,12 @@ Detects potential LotL activity by identifying malicious processes. | Job | Description | |---|---| -| problem_child_rare_process_by_host | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | -| problem_child_high_sum_by_host | Looks for a set of one or more malicious child processes on a single host. | -| problem_child_rare_process_by_user | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | -| problem_child_rare_process_by_parent | Looks for rare malicious child processes spawned by a parent process. | -| problem_child_high_sum_by_user | Looks for a set of one or more malicious processes, started by the same user. | -| problem_child_high_sum_by_parent | Looks for a set of one or more malicious child processes spawned by the same parent process. | +| problem_child_rare_process_by_host_euid | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | +| problem_child_high_sum_by_host_euid | Looks for a set of one or more malicious child processes on a single host. | +| problem_child_rare_process_by_user_euid | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | +| problem_child_rare_process_by_parent_euid | Looks for rare malicious child processes spawned by a parent process. | +| problem_child_high_sum_by_user_euid | Looks for a set of one or more malicious processes, started by the same user. | +| problem_child_high_sum_by_parent_euid | Looks for a set of one or more malicious child processes spawned by the same parent process. | ## Customize ML jobs for Living off the Land Attack Detection @@ -154,6 +154,22 @@ To customize the datafeed query and other settings such as model memory limit, f ![Living off the Land Attack Detection jobs](../img/problemchild_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. +## v3.0.0 and beyond + +v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. + +- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new EUID-based assets. +- On installation of this version, new ML jobs and rules that utilize EUIDs will be available. +- We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. + +The new EUID ML job IDs are: +- `problem_child_rare_process_by_host_euid` +- `problem_child_high_sum_by_host_euid` +- `problem_child_rare_process_by_user_euid` +- `problem_child_rare_process_by_parent_euid` +- `problem_child_high_sum_by_user_euid` +- `problem_child_high_sum_by_parent_euid` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to LotL Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index f78cd91dcb6..6ff98c93a9e 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -1,561 +1,633 @@ { - "attributes": { - "id": "problemchild-ml", - "title": "Living off the Land Attack Detection", - "description": "Detects potential living off the land activity by identifying malicious processes.", - "type": "ProblemChild", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "problemchild-ml", + "title": "Living off the Land Attack Detection", + "description": "Detects potential living off the land activity by identifying malicious processes.", + "type": "ProblemChild", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "problemchild.prediction" + } + }, + { + "exists": { + "field": "blocklist_label" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "problem_child_rare_process_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a host", + "detector_index": 0, + "function": "rare", + "partition_field_name": "host.name" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for hosts with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "host.name", + "detector_description": "high sum of model hits by host", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "host.name", + "detector_description": "high sum of blocklist hits by host", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a user", + "detector_index": 0, + "function": "rare", + "partition_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for rare malicious child processes spawned by a parent process.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a parent process", + "detector_index": 0, + "function": "rare", + "partition_field_name": "process.parent.name" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for users with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "user.name", + "detector_description": "high sum of model hits by user", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "user.name", + "detector_description": "high sum of blocklist hits by user", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for parent process names with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of model hits by parent process", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of blocklist hits by parent process", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-problem_child_rare_process_by_host_euid", + "job_id": "problem_child_rare_process_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_host_euid", + "query": { "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "problemchild.prediction" - } - }, - { - "exists": { - "field": "blocklist_label" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - } - }, - "jobs": [ - { - "id": "problem_child_rare_process_by_host", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a host", - "detector_index": 0, - "function": "rare", - "partition_field_name": "host.name" - } - ], - "influencers": [ - "process.name", - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_high_sum_by_host", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for hosts with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "host.name", - "detector_description": "high sum of model hits by host", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "host.name", - "detector_description": "high sum of blocklist hits by host", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "host.name", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_host_euid", + "job_id": "problem_child_high_sum_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_host_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_rare_process_by_user", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a user", - "detector_index": 0, - "function": "rare", - "partition_field_name": "user.name" - } - ], - "influencers": [ - "process.name", - "user.name", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_rare_process_by_parent", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for rare malicious child processes spawned by a parent process.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a parent process", - "detector_index": 0, - "function": "rare", - "partition_field_name": "process.parent.name" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_user_euid", + "job_id": "problem_child_rare_process_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_high_sum_by_user", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for users with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "user.name", - "detector_description": "high sum of model hits by user", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "user.name", - "detector_description": "high sum of blocklist hits by user", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "user.name", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "problem_child_high_sum_by_parent", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for parent process names with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of model hits by parent process", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of blocklist hits by parent process", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - ], - "datafeeds": [ - { - "id": "datafeed-problem_child_rare_process_by_host", - "job_id": "problem_child_rare_process_by_host", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_host", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_parent_euid", + "job_id": "problem_child_rare_process_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_host", - "job_id": "problem_child_high_sum_by_host", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_host", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-problem_child_rare_process_by_user", - "job_id": "problem_child_rare_process_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_user", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_user_euid", + "job_id": "problem_child_high_sum_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_rare_process_by_parent", - "job_id": "problem_child_rare_process_by_parent", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_parent", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } }, - { - "id": "datafeed-problem_child_high_sum_by_user", - "job_id": "problem_child_high_sum_by_user", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_user", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_parent_euid", + "job_id": "problem_child_high_sum_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_parent", - "job_id": "problem_child_high_sum_by_parent", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_parent", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ] - }, - "id": "problemchild-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + } + ] + }, + "id": "problemchild-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index f34640e516e..28e9995a702 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: problemchild title: "Living off the Land Attack Detection" -version: 2.4.5 +version: 3.0.0 source: license: "Elastic-2.0" description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription." @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: From a05dfa53a74becfab4b76e0ad3f76491c4d298f6 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 3 Mar 2026 08:27:06 -0600 Subject: [PATCH 02/44] fix indentation --- packages/ded/kibana/ml_module/ded-ml.json | 1168 ++-- packages/dga/kibana/ml_module/dga-ml.json | 228 +- packages/lmd/kibana/ml_module/lmd-ml.json | 1872 +++--- packages/pad/kibana/ml_module/pad-ml.json | 5074 ++++++++--------- .../kibana/ml_module/problemchild-ml.json | 1222 ++-- 5 files changed, 4782 insertions(+), 4782 deletions(-) diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index 505d120e980..71edc727a73 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -1,601 +1,601 @@ { - "attributes": { - "id": "ded-ml", - "title": "Data Exfiltration Detection", - "description": "Detects data exfiltration activity in your network and file data.", - "type": "ded", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { + "attributes": { + "id": "ded-ml", + "title": "Data Exfiltration Detection", + "description": "Detects data exfiltration activity in your network and file data.", + "type": "ded", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination" - } + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination" + } + } + ] + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual country iso code", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.country_iso_code", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.continent_name", - "destination.geo.country_name", - "destination.geo.country_iso_code" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_ip_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by IP address).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual IP address", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_port_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual destination port.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual destination port", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.port", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "source.ip", - "destination.ip", - "destination.port" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_region_name_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by region name).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual region", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.region_name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.city_name", - "destination.geo.region_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_rare_process_writing_to_external_device_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process writing to an external device", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device using Airdrop", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "file.name", - "file.path", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + "jobs": [ + { + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual country iso code", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.country_iso_code", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.country_iso_code" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_ip_euid", - "job_id": "ded_high_sent_bytes_destination_ip_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_ip_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by IP address).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual IP address", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_port_euid", - "job_id": "ded_high_sent_bytes_destination_port_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_port_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual destination port.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual destination port", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.port", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.port" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_region_name_euid", - "job_id": "ded_high_sent_bytes_destination_region_name_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_region_name_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by region name).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual region", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.region_name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.city_name", + "destination.geo.region_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_euid", - "job_id": "ded_high_bytes_written_to_external_device_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + }, + { + "id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-ded_rare_process_writing_to_external_device_euid", - "job_id": "ded_rare_process_writing_to_external_device_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_rare_process_writing_to_external_device_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + { + "id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process writing to an external device", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_euid", - "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "process.name": "sharingd" - } - }, - { - "term": { - "host.os.type": "macos" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + { + "id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device using Airdrop", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name", + "file.path", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + ], + "datafeeds": [ + { + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_ip_euid", + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_ip_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_port_euid", + "job_id": "ded_high_sent_bytes_destination_port_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_port_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + { + "id": "datafeed-ded_high_sent_bytes_destination_region_name_euid", + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_region_name_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_euid", + "job_id": "ded_high_bytes_written_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_rare_process_writing_to_external_device_euid", + "job_id": "ded_rare_process_writing_to_external_device_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_rare_process_writing_to_external_device_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_euid", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "process.name": "sharingd" + } + }, + { + "term": { + "host.os.type": "macos" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } } - } - } - } - ] - }, - "id": "ded-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "ded-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index 328d190a608..70e441044d8 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -1,121 +1,121 @@ { - "attributes": { - "id": "dga-ml", - "title": "DGA", - "description": "Detect domain generation algorithm (DGA) activity in your network data.", - "type": "DGA", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "dga_high_sum_probability_euid", - "config": { - "groups": [ - "security", - "dga" - ], - "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "high probability of DGA activity", - "detector_index": 0, - "field_name": "ml_is_dga.malicious_probability", - "function": "high_sum", - "over_field_name": "source.ip" - } - ], - "influencers": [ - "source.ip", - "host.entity.id_computed" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-dga" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-dga_high_sum_probability_euid", - "job_id": "dga_high_sum_probability_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "dga_high_sum_probability_euid", - "query": { + "attributes": { + "id": "dga-ml", + "title": "DGA", + "description": "Detect domain generation algorithm (DGA) activity in your network data.", + "type": "DGA", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + } + }, + "jobs": [ + { + "id": "dga_high_sum_probability_euid", + "config": { + "groups": [ + "security", + "dga" + ], + "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high probability of DGA activity", + "detector_index": 0, + "field_name": "ml_is_dga.malicious_probability", + "function": "high_sum", + "over_field_name": "source.ip" + } + ], + "influencers": [ + "source.ip", + "host.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-dga" + } } - ] } - }, - "script_fields": { - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + ], + "datafeeds": [ + { + "id": "datafeed-dga_high_sum_probability_euid", + "job_id": "dga_high_sum_probability_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "dga_high_sum_probability_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } } - } - } - } - ] - }, - "id": "dga-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "dga-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index f91e04730ba..110659c46df 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -1,962 +1,962 @@ { - "attributes": { - "id": "lmd-ml", - "title": "Lateral Movement Detection", - "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", - "type": "lmd", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { + "attributes": { + "id": "lmd-ml", + "title": "Lateral Movement Detection", + "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", + "type": "lmd", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "session.start_time" - } + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "bool": { + "filter": [ + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "lmd_high_count_remote_file_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high file transfers to a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", - "function": "high_count", - "by_field_name": "event.action", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_file_size_remote_file_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high size of files shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_extension_remote_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects rare file extensions shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file.extension", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "file.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_path_remote_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusual folders and directories on which a file is transferred.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by file_directory partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file_directory", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "file.path" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_session_duration_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high mean of RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_var_rdp_session_duration_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high variance in RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_sum_rdp_number_of_processes_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of processes started in a single RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects an RDP session started at an usual time or weekday.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "time_of_week partitionfield=\"source.ip\"", - "function": "time_of_week", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "destination.ip", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", - "function": "high_distinct_count", - "field_name": "source.ip", - "partition_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", - "function": "high_distinct_count", - "field_name": "destination.ip", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_process_args_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of process arguments in an RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-lmd_high_count_remote_file_transfer_euid", - "job_id": "lmd_high_count_remote_file_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_count_remote_file_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + "jobs": [ + { + "id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high file transfers to a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high size of files shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-lmd_high_file_size_remote_file_transfer_euid", - "job_id": "lmd_high_file_size_remote_file_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_file_size_remote_file_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + { + "id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects rare file extensions shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file.extension", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusual folders and directories on which a file is transferred.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by file_directory partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file_directory", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "file.path" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-lmd_rare_file_extension_remote_transfer_euid", - "job_id": "lmd_rare_file_extension_remote_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_extension_remote_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + { + "id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high mean of RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high variance in RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-lmd_high_mean_rdp_session_duration_euid", - "job_id": "lmd_high_mean_rdp_session_duration_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_session_duration_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + { + "id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of processes started in a single RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_var_rdp_session_duration_euid", - "job_id": "lmd_high_var_rdp_session_duration_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_var_rdp_session_duration_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects an RDP session started at an usual time or weekday.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "time_of_week partitionfield=\"source.ip\"", + "function": "time_of_week", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes_euid", - "job_id": "lmd_high_sum_rdp_number_of_processes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_sum_rdp_number_of_processes_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", + "function": "high_distinct_count", + "field_name": "source.ip", + "partition_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_euid", - "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", + "function": "high_distinct_count", + "field_name": "destination.ip", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of process arguments in an RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] } - } - } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + ], + "datafeeds": [ + { + "id": "datafeed-lmd_high_count_remote_file_transfer_euid", + "job_id": "lmd_high_count_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_count_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_mean_rdp_process_args_euid", - "job_id": "lmd_high_mean_rdp_process_args_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_process_args_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "datafeed-lmd_high_file_size_remote_file_transfer_euid", + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_file_size_remote_file_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_rare_file_path_remote_transfer_euid", - "job_id": "lmd_rare_file_path_remote_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_path_remote_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + { + "id": "datafeed-lmd_rare_file_extension_remote_transfer_euid", + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_extension_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "datafeed-lmd_high_mean_rdp_session_duration_euid", + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_var_rdp_session_duration_euid", + "job_id": "lmd_high_var_rdp_session_duration_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_var_rdp_session_duration_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } } - ] - } - }, - "runtime_mappings": { - "file_directory": { - "type": "keyword", - "script": { - "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" - } - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + { + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_euid", + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_sum_rdp_number_of_processes_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_euid", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_process_args_euid", + "job_id": "lmd_high_mean_rdp_process_args_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_process_args_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_path_remote_transfer_euid", + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_path_remote_transfer_euid", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + }, + "runtime_mappings": { + "file_directory": { + "type": "keyword", + "script": { + "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" + } + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } } - } - } - } - ] - }, - "id": "lmd-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "lmd-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index e7c1f82b14e..124918208c3 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2599 +1,2599 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } + } + ] + } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + } + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_group_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_device_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_euid", - "job_id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_windows_high_count_group_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } + { + "id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_euid", - "job_id": "pad_windows_high_count_group_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + { + "id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_windows_rare_device_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } + { + "id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } + { + "id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_euid", - "job_id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + }, + { + "id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_euid", - "job_id": "pad_windows_rare_device_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + { + "id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + { + "id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_euid", - "job_id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + { + "id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } + { + "id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } + }, + { + "id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + { + "id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "agent.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_euid", + "job_id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_euid", + "job_id": "pad_windows_high_count_group_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_euid", + "job_id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_euid", + "job_id": "pad_windows_rare_device_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_euid", + "job_id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } } - } - ] - } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.user_membership.add", - "group.user_membership.remove" - ] - } + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.privilege.grant", - "group.privilege.revoke" - ] - } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete" - ] - } + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 + } + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.user.name" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 + } + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 + } + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } + } + ] + } } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_euid", - "job_id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_euid", + "job_id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } - } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_euid", - "job_id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user_euid", + "job_id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } } - } - } - } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index 6ff98c93a9e..49521ba9213 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -1,633 +1,633 @@ { - "attributes": { - "id": "problemchild-ml", - "title": "Living off the Land Attack Detection", - "description": "Detects potential living off the land activity by identifying malicious processes.", - "type": "ProblemChild", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "problemchild.prediction" - } - }, - { - "exists": { - "field": "blocklist_label" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "problem_child_rare_process_by_host_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a host", - "detector_index": 0, - "function": "rare", - "partition_field_name": "host.name" - } - ], - "influencers": [ - "process.name", - "host.entity.id_computed", - "user.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_host_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for hosts with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "host.name", - "detector_description": "high sum of model hits by host", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "host.name", - "detector_description": "high sum of blocklist hits by host", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "host.entity.id_computed", - "user.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_rare_process_by_user_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a user", - "detector_index": 0, - "function": "rare", - "partition_field_name": "user.name" - } - ], - "influencers": [ - "process.name", - "user.entity.id_computed", - "host.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_rare_process_by_parent_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for rare malicious child processes spawned by a parent process.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a parent process", - "detector_index": 0, - "function": "rare", - "partition_field_name": "process.parent.name" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.entity.id_computed", - "user.entity.id_computed" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_user_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for users with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "user.name", - "detector_description": "high sum of model hits by user", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "user.name", - "detector_description": "high sum of blocklist hits by user", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "user.entity.id_computed", - "host.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_parent_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for parent process names with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of model hits by parent process", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of blocklist hits by parent process", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.entity.id_computed", - "user.entity.id_computed" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-problem_child_rare_process_by_host_euid", - "job_id": "problem_child_rare_process_by_host_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_host_euid", - "query": { + "attributes": { + "id": "problemchild-ml", + "title": "Living off the Land Attack Detection", + "description": "Detects potential living off the land activity by identifying malicious processes.", + "type": "ProblemChild", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "problemchild.prediction" + } + }, + { + "exists": { + "field": "blocklist_label" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_host_euid", - "job_id": "problem_child_high_sum_by_host_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_host_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + }, + "jobs": [ + { + "id": "problem_child_rare_process_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a host", + "detector_index": 0, + "function": "rare", + "partition_field_name": "host.name" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_high_sum_by_host_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for hosts with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "host.name", + "detector_description": "high sum of model hits by host", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "host.name", + "detector_description": "high sum of blocklist hits by host", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-problem_child_rare_process_by_user_euid", - "job_id": "problem_child_rare_process_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_user_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + { + "id": "problem_child_rare_process_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a user", + "detector_index": 0, + "function": "rare", + "partition_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_rare_process_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for rare malicious child processes spawned by a parent process.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a parent process", + "detector_index": 0, + "function": "rare", + "partition_field_name": "process.parent.name" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-problem_child_rare_process_by_parent_euid", - "job_id": "problem_child_rare_process_by_parent_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_parent_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + { + "id": "problem_child_high_sum_by_user_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for users with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "user.name", + "detector_description": "high sum of model hits by user", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "user.name", + "detector_description": "high sum of blocklist hits by user", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "user.entity.id_computed", + "host.entity.id_computed", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_high_sum_by_parent_euid", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for parent process names with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of model hits by parent process", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of blocklist hits by parent process", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.entity.id_computed", + "user.entity.id_computed" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + ], + "datafeeds": [ + { + "id": "datafeed-problem_child_rare_process_by_host_euid", + "job_id": "problem_child_rare_process_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_host_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_user_euid", - "job_id": "problem_child_high_sum_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_user_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + { + "id": "datafeed-problem_child_high_sum_by_host_euid", + "job_id": "problem_child_high_sum_by_host_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_host_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "datafeed-problem_child_rare_process_by_user_euid", + "job_id": "problem_child_rare_process_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_parent_euid", - "job_id": "problem_child_high_sum_by_parent_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_parent_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + { + "id": "datafeed-problem_child_rare_process_by_parent_euid", + "job_id": "problem_child_rare_process_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "datafeed-problem_child_high_sum_by_user_euid", + "job_id": "problem_child_high_sum_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_user_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + { + "id": "datafeed-problem_child_high_sum_by_parent_euid", + "job_id": "problem_child_high_sum_by_parent_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_parent_euid", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } + } } - } - } - } - ] - }, - "id": "problemchild-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "problemchild-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file From 48c3abe400d175af1850ab5ccf1cde45401a40a3 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 3 Mar 2026 08:43:17 -0600 Subject: [PATCH 03/44] fix indentation --- packages/pad/kibana/ml_module/pad-ml.json | 4939 ++++++++++----------- 1 file changed, 2458 insertions(+), 2481 deletions(-) diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 124918208c3..0334c79f1c2 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2594 +1,2571 @@ { "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } - } - ] - } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ], - "must_not": { + }, + { + "exists": { + "field": "winlog.event_id" + } + } + ] + } + }, + { + "bool": { + "must": [ + { "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" } + } + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } + } }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + { + "id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] }, - { - "id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_high_count_group_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] }, - { - "id": "pad_windows_high_count_group_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] }, - { - "id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "privilege_type", + "event.action" + ] }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] }, - { - "id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_device_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] }, - { - "id": "pad_windows_rare_device_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] }, - { - "id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] }, - { - "id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name", + "process.command_line" + ] }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.name" + ] }, - { - "id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 } + ], + "influencers": [ + "host.entity.id_computed", + "user.entity.id_computed", + "process.command_line" + ] }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] }, - { - "id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "agent.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_euid", + "job_id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] } + } + ], + "must_not": [ + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } + } + } +} + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_euid", + "job_id": "pad_windows_high_count_group_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] } + } + ], + "must_not": [ + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } + } + } +} + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } }, - { - "id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_euid", + "job_id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_euid", + "job_id": "pad_windows_rare_device_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_euid", + "job_id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" ] + } + }, + { + "term": { + "event.category": "process" + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" + { + "terms": { + "event.type": [ + "start", + "change" + ] + } }, - "custom_settings": { - "created_by": "ml-module-pad" + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } } - } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name" + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } } + ] } - }, - { - "id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" ] + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" + { + "term": { + "event.category": "process" + } }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" + { + "terms": { + "event.type": [ + "start", + "change" ] + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } } - } - }, - { - "id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } + } } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_euid", - "job_id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } +} + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_euid", - "job_id": "pad_windows_high_count_group_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" } - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_euid", - "job_id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_euid", - "job_id": "pad_windows_rare_device_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" } - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_euid", - "job_id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" } - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" } - } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" } - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.user_membership.add", - "group.user_membership.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" } - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.privilege.grant", - "group.privilege.revoke" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" } - } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } + } + } +} + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] + } + } + ] + } }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + } + } +} + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] + } + } + ] + } }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 - } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } - } - ] - } + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + } + } +} + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] + } + } + ] + } }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.user.name" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 } + } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + { + "range": { + "okta_distinct_countries": { + "gte": 2 } + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } } + ] } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_euid", - "job_id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } + } + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + } + } +} + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_euid", + "job_id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } + } + ] + } }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_euid", - "job_id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } +} + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user_euid", + "job_id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } + } } - ] +} + } + ] }, "id": "pad-ml", "migrationVersion": { @@ -2596,4 +2573,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} From d3ddf59023c6fd31388d7994ea8ef763424b204d Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 3 Mar 2026 10:16:41 -0600 Subject: [PATCH 04/44] update dashboards --- ...son => ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json} | 4 ++-- ...son => lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json} | 4 ++-- ...son => pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json} | 4 ++-- ...son => pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json} | 4 ++-- ...son => pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json} | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) rename packages/ded/kibana/dashboard/{ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json => ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json} (99%) rename packages/lmd/kibana/dashboard/{lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json => lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json} (98%) rename packages/pad/kibana/dashboard/{pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json => pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json} (99%) rename packages/pad/kibana/dashboard/{pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json => pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json} (99%) rename packages/pad/kibana/dashboard/{pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json => pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json} (99%) diff --git a/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json b/packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json similarity index 99% rename from packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json rename to packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json index 6c5cdc8abb2..055790befc2 100644 --- a/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json +++ b/packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":16,\"h\":8,\"i\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\"},\"panelIndex\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"7236397d-5baf-4a72-b0ca-eb888f30103b\",\"accessor\":\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7236397d-5baf-4a72-b0ca-eb888f30103b\":{\"columns\":{\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":23,\"h\":15,\"i\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\"},\"panelIndex\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b04943cf-244d-4202-a241-5016f157fcf3\",\"isTransposed\":false},{\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\",\"isTransposed\":false}],\"layerId\":\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\":{\"columns\":{\"b04943cf-244d-4202-a241-5016f157fcf3\":{\"label\":\"host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"632aca7c-068e-42ca-ad9b-0533ab38d466\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b04943cf-244d-4202-a241-5016f157fcf3\",\"632aca7c-068e-42ca-ad9b-0533ab38d466\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Hosts Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":15,\"i\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\"},\"panelIndex\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"daaccc7d-bf90-4a63-848e-6181389ee601\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"baa67605-1ebc-418d-bd21-8254b22c0faf\"},{\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daaccc7d-bf90-4a63-848e-6181389ee601\":{\"columns\":{\"baa67605-1ebc-418d-bd21-8254b22c0faf\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"baa67605-1ebc-418d-bd21-8254b22c0faf\",\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Processes Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":23,\"h\":15,\"i\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\"},\"panelIndex\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"f3be7369-746c-4e7e-b75d-c431d55783ec\"},{\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d052422b-7069-4cc7-938c-a7802f3eb8cb\":{\"columns\":{\"f3be7369-746c-4e7e-b75d-c431d55783ec\":{\"label\":\"host.name > user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"524a43f5-836a-4bca-9631-de7fa1e4335d\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f3be7369-746c-4e7e-b75d-c431d55783ec\",\"524a43f5-836a-4bca-9631-de7fa1e4335d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 User-Host Combinations Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":23,\"w\":25,\"h\":15,\"i\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\"},\"panelIndex\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsChoropleth\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f97661af-4480-48ea-85a1-33c65e062d97\",\"layerType\":\"data\",\"regionAccessor\":\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"valueAccessor\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f97661af-4480-48ea-85a1-33c65e062d97\":{\"columns\":{\"6fac8510-1db9-4b36-bb2a-737f6782ef33\":{\"label\":\" destination.geo.country_iso_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_iso_code\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Geo Locations Associated with Data Exfiltration Activity by ISO Code\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":13,\"i\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\"},\"panelIndex\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"isTransposed\":false},{\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\",\"isTransposed\":false}],\"layerId\":\"11e91ade-6c94-46e8-96e7-592f5e522898\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11e91ade-6c94-46e8-96e7-592f5e522898\":{\"columns\":{\"fa763272-957c-4ed5-a494-8ee580023bcc\":{\"label\":\"File name > File path > External device type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file.path\",\"file.Ext.device.bus_type\"]},\"customLabel\":true},\"429585bf-154f-49ec-97cd-009752a01a59\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"429585bf-154f-49ec-97cd-009752a01a59\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 File names, File paths and External device type Combinations Associated with Data Exfiltration Activity\"}]", "timeRestore": false, - "title": "Data Exfiltration Detection Dashboard", + "title": "Data Exfiltration Detection Dashboard (EUID)", "version": 2 }, "coreMigrationVersion": "8.5.1", - "id": "ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6", + "id": "ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f", "migrationVersion": { "dashboard": "8.5.0" }, diff --git a/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json b/packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json similarity index 98% rename from packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json rename to packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json index d5591c6c2fc..207a85f41d0 100644 --- a/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json +++ b/packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":10,\"i\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\"},\"panelIndex\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443\"}],\"state\":{\"visualization\":{\"layerId\":\"fb918fff-0676-4792-9732-8fbe6db41443\",\"accessor\":\"3e03ad31-53f7-4def-b8e4-4192da864d19\",\"layerType\":\"data\",\"colorMode\":\"None\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fb918fff-0676-4792-9732-8fbe6db41443\":{\"columns\":{\"3e03ad31-53f7-4def-b8e4-4192da864d19\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3e03ad31-53f7-4def-b8e4-4192da864d19\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":10,\"i\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\"},\"panelIndex\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\",\"accessors\":[\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\":{\"columns\":{\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\":{\"label\":\"Count of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\",\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total anomalies associated with lateral movement activity per day\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\"},\"panelIndex\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"isTransposed\":false},{\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\",\"isTransposed\":false}],\"layerId\":\"6c1a1848-2234-42b9-b1fe-e41fca887639\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c1a1848-2234-42b9-b1fe-e41fca887639\":{\"columns\":{\"909d15b9-b715-43ef-81ba-0dcf9701ff85\":{\"label\":\"Host name > User name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"320f61a2-071f-4023-b51f-fc744c040995\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"320f61a2-071f-4023-b51f-fc744c040995\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 host and user names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":15,\"i\":\"636abb14-59a8-4a1e-a426-5db922669b22\"},\"panelIndex\":\"636abb14-59a8-4a1e-a426-5db922669b22\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"isTransposed\":false},{\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\",\"isTransposed\":false}],\"layerId\":\"188c9419-9baa-4af7-846c-d2fe2c838eb1\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"188c9419-9baa-4af7-846c-d2fe2c838eb1\":{\"columns\":{\"2ea20970-94b6-42d3-bded-af75d15d6708\":{\"label\":\"Process name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"4ccfc545-539c-43f5-ac35-cf6800bcd970\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 process names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":12,\"i\":\"d38dee87-a80a-4613-ae67-455886f1097e\"},\"panelIndex\":\"d38dee87-a80a-4613-ae67-455886f1097e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\",\"accessors\":[\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\":{\"columns\":{\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\":{\"label\":\"File name > File directory\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file_directory\"]},\"customLabel\":true},\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\",\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 combination of file names and directories affected by lateral movement activity\"}]", "timeRestore": false, - "title": "Lateral Movement Detection Dashboard", + "title": "Lateral Movement Detection Dashboard (EUID)", "version": 2 }, "coreMigrationVersion": "8.5.1", - "id": "lmd-17fea180-8c4c-11ed-bb03-41a73f349362", + "id": "lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9", "migrationVersion": { "dashboard": "8.5.0" }, diff --git a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json similarity index 99% rename from packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json rename to packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json index 9af181d2b6c..e8cac77a6f7 100644 --- a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json +++ b/packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_euid\",\"pad_windows_high_count_special_logon_events_euid\",\"pad_windows_high_count_special_privilege_use_events_euid\",\"pad_windows_high_count_user_account_management_events_euid\",\"pad_windows_rare_device_by_user_euid\",\"pad_windows_rare_group_name_by_user_euid\",\"pad_windows_rare_privilege_assigned_to_user_euid\",\"pad_windows_rare_region_name_by_user_euid\",\"pad_windows_rare_source_ip_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Windows]", + "title": "Privileged Access Detection Dashboard [Windows] (EUID)", "version": 1 }, "coreMigrationVersion": "8.8.0", - "id": "pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09", + "id": "pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762", "migrationVersion": { "dashboard": "8.9.0" }, diff --git a/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json b/packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json similarity index 99% rename from packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json rename to packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json index df7ffb8e57e..73a7d245453 100644 --- a/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json +++ b/packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user_euid\",\"pad_linux_high_median_process_command_line_entropy_by_user_euid\",\"pad_linux_rare_process_executed_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_median_process_command_line_entropy_by_user_euid, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Linux]", + "title": "Privileged Access Detection Dashboard [Linux] (EUID)", "version": 1 }, "coreMigrationVersion": "8.8.0", - "id": "pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc", + "id": "pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a", "migrationVersion": { "dashboard": "8.9.0" }, diff --git a/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json b/packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json similarity index 99% rename from packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json rename to packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json index aa78f67bacb..03854a8fc27 100644 --- a/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json +++ b/packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user_euid\",\"pad_okta_rare_host_name_by_user_euid\",\"pad_okta_rare_region_name_by_user_euid\",\"pad_okta_rare_source_ip_by_user_euid\",\"pad_okta_spike_in_group_application_assignment_changes_euid\",\"pad_okta_spike_in_group_lifecycle_changes_euid\",\"pad_okta_spike_in_group_membership_changes_euid\",\"pad_okta_spike_in_group_privilege_changes_euid\",\"pad_okta_spike_in_user_lifecycle_management_changes_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user_euid, pad_okta_rare_host_name_by_user_euid, pad_okta_rare_region_name_by_user_euid, pad_okta_rare_source_ip_by_user_euid, pad_okta_spike_in_group_application_assignment_changes_euid, pad_okta_spike_in_group_lifecycle_changes_euid, pad_okta_spike_in_group_membership_changes_euid, pad_okta_spike_in_group_privilege_changes_euid, pad_okta_spike_in_user_lifecycle_management_changes_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Okta]", + "title": "Privileged Access Detection Dashboard [Okta] (EUID)", "version": 1 }, "coreMigrationVersion": "8.8.0", - "id": "pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976", + "id": "pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef", "migrationVersion": { "dashboard": "8.9.0" }, From ebdf1e8e8a4a0d22231305a307fad1bd94df80d2 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 3 Mar 2026 13:22:12 -0600 Subject: [PATCH 05/44] add dashboard changes for host traffic anomalies package --- packages/hta/changelog.yml | 5 + ...-c3773b23-471c-4168-bb02-90489161ce51.json | 122 ------------------ ...-9ab90b79-7549-4329-98a4-37262834d875.json | 122 ++++++++++++++++++ packages/hta/manifest.yml | 4 +- 4 files changed, 129 insertions(+), 124 deletions(-) delete mode 100644 packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json create mode 100644 packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index 3064f0f2725..d7d63ec75e3 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.0.0" + changes: + - description: Introduce Entity Unique IDs (EUIDs) + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "1.0.1" changes: - description: Update documentation on configuring data view for dashboards diff --git a/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json b/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json deleted file mode 100644 index 86997952949..00000000000 --- a/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "id": "hta-c3773b23-471c-4168-bb02-90489161ce51", - "type": "dashboard", - "coreMigrationVersion": "8.8.0", - "migrationVersion": { - "dashboard": "8.9.0" - }, - "attributes": { - "version": 1, - "controlGroupInput": { - "controlStyle": "oneLine", - "chainingSystem": "HIERARCHICAL", - "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", - "timeRestore": false, - "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", - "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name\\n- low_count_events_for_a_host_name\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link 🔗](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name\",\"high_count_events_for_a_host_name\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", - "title": "Host Traffic Anomalies" - }, - "references": [ - { - "type": "index-pattern", - "id": "logs-*", - "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" - }, - { - "type": "index-pattern", - "id": "logs-*", - "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" - }, - { - "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", - "type": "index-pattern", - "id": "logs-*" - }, - { - "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", - "type": "index-pattern", - "id": "logs-*" - }, - { - "type": "tag", - "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", - "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" - } - ] -} \ No newline at end of file diff --git a/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json b/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json new file mode 100644 index 00000000000..e9a21070420 --- /dev/null +++ b/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json @@ -0,0 +1,122 @@ +{ + "id": "hta-euid-9ab90b79-7549-4329-98a4-37262834d875", + "type": "dashboard", + "coreMigrationVersion": "8.8.0", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "attributes": { + "version": 1, + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", + "timeRestore": false, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name_euid\\n- low_count_events_for_a_host_name_euid\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link 🔗](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name_euid\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name_euid\",\"high_count_events_for_a_host_name_euid\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name_euid\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", + "title": "Host Traffic Anomalies (EUID)" + }, + "references": [ + { + "type": "index-pattern", + "id": "logs-*", + "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" + }, + { + "type": "index-pattern", + "id": "logs-*", + "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" + }, + { + "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "type": "tag", + "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", + "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" + } + ] +} \ No newline at end of file diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index 78f374fee47..ef32d368994 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: hta title: "Host Traffic Anomalies" -version: 1.0.1 +version: 2.0.0 source: license: "Elastic-2.0" description: "Prebuilt dashboard for Machine Learning module Security: Host." @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: From 6b14d8fb0d583e0d23d34f1d15e115a806744b82 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Wed, 4 Mar 2026 13:28:32 -0600 Subject: [PATCH 06/44] restore host.name/user.name in influencers --- packages/ded/kibana/ml_module/ded-ml.json | 16 +- packages/dga/kibana/ml_module/dga-ml.json | 5 +- packages/lmd/kibana/ml_module/lmd-ml.json | 24 +- packages/pad/kibana/ml_module/pad-ml.json | 4984 +++++++++-------- .../kibana/ml_module/problemchild-ml.json | 18 +- 5 files changed, 2576 insertions(+), 2471 deletions(-) diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index 71edc727a73..b137a5d5587 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -69,7 +69,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name", "source.ip", "destination.ip", @@ -108,7 +110,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name", "source.ip", "destination.ip" @@ -144,7 +148,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name", "source.ip", "destination.ip", @@ -181,7 +187,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name", "source.ip", "destination.ip", @@ -219,7 +227,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "file.name", "file.path", "file.Ext.device.bus_type", @@ -256,7 +266,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "file.name", "file.path", "file.Ext.device.bus_type", @@ -293,7 +305,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "file.name", "file.path", "process.name" @@ -598,4 +612,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index 70e441044d8..9f2ecb7e1dd 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -48,7 +48,8 @@ ], "influencers": [ "source.ip", - "host.entity.id_computed" + "host.entity.id_computed", + "host.name" ] }, "data_description": { @@ -118,4 +119,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 110659c46df..2ede81672b1 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -59,7 +59,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name" ] }, @@ -93,7 +95,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.name" ] }, @@ -127,7 +131,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "file.name" ] }, @@ -161,7 +167,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "file.path" ] }, @@ -202,7 +210,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "source.ip", "destination.ip" ] @@ -244,7 +254,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "source.ip", "destination.ip" ] @@ -286,7 +298,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "source.ip", "destination.ip" ] @@ -320,7 +334,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "destination.ip", "source.ip" ] @@ -355,7 +371,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "destination.ip" ] }, @@ -389,7 +407,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "source.ip" ] }, @@ -430,7 +450,9 @@ ], "influencers": [ "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "source.ip", "destination.ip" ] @@ -959,4 +981,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 0334c79f1c2..bc748b152df 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2571 +1,2627 @@ { "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } + } + ] + } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + } + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } } - } - ] - } - }, - { - "bool": { - "must": [ - { + ], + "must_not": { "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" + "_tier": [ + "data_frozen", + "data_cold" + ] } - } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_group_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_device_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "user.entity.id_computed", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" } - } }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name" - ] }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 + { + "id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 + { + "id": "pad_windows_high_count_group_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 + { + "id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - ], - "influencers": [ - "user.entity.id_computed", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_euid", - "job_id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] + { + "id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - } - ], - "must_not": [ - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" } - } - } -} - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_euid", - "job_id": "pad_windows_high_count_group_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] + { + "id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - } - ], - "must_not": [ - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" } - } - } -} - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_euid", - "job_id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] + { + "id": "pad_windows_rare_device_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - } - ], - "must_not": [ - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" } - } - } -} - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_euid", - "job_id": "pad_windows_rare_device_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] + { + "id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" } - } - } -} - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_euid", - "job_id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" + { + "id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" ] - } }, - { - "term": { - "event.category": "process" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" }, - { - "terms": { - "event.type": [ - "start", - "change" + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "process.name", + "process.command_line" ] - } }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "process.name" ] - } }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - ] } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "host.entity.id_computed", + "host.name", + "user.entity.id_computed", + "user.name", + "process.command_line" ] - } }, - { - "term": { - "event.category": "process" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" }, - { - "terms": { - "event.type": [ - "start", - "change" + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" ] - } }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" ] - } + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "user.name", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" ] - } }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "user.name", + "source.user.full_name", + "user.target.group.name" ] - } + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - ] } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.entity.id_computed", + "user.name", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "user.name", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - } -} - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" + }, + { + "id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "user.name", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" ] - } }, - { - "term": { - "event.category": "process" - } + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" }, - { - "terms": { - "event.type": [ - "start", - "change" + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "user.name", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" ] - } }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "agent.name", + "partition_field_name": "user.entity.id_computed", + "detector_index": 0 + } + ], + "influencers": [ + "user.entity.id_computed", + "user.name", + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_euid", + "job_id": "pad_windows_high_count_special_logon_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_euid", + "job_id": "pad_windows_high_count_group_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_euid", + "job_id": "pad_windows_rare_group_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_euid", + "job_id": "pad_windows_rare_device_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_euid", + "job_id": "pad_windows_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" + } + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." + }, + "host.entity.id_computed": { + "script": { + "id": "euid_host_entity" } - } - ] - } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" + ] + } + } + ] + } }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" } - } - } -} - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" } - } - } -} - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } - } }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } } - ] } - } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } - } - ] - } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - } - } -} - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_euid", - "job_id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" } - } - } -} - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_euid", - "job_id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.user.name" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 + } + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 + } + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } + } + ] + } } - }, - { - "exists": { - "field": "agent.name" + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] + } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_euid", + "job_id": "pad_okta_rare_region_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } } - } - ] - } + } }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" + { + "id": "datafeed-pad_okta_rare_host_name_by_user_euid", + "job_id": "pad_okta_rare_host_name_by_user_euid", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_euid", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + }, + "script_fields": { + "user.entity.id_computed": { + "script": { + "id": "euid_user_entity" + } + } + } } - } } -} - } - ] + ] }, "id": "pad-ml", "migrationVersion": { diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index 49521ba9213..52fa27455b3 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -55,7 +55,9 @@ "influencers": [ "process.name", "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.command_line" ] }, @@ -97,7 +99,9 @@ "influencers": [ "process.name", "host.entity.id_computed", + "host.name", "user.entity.id_computed", + "user.name", "process.command_line" ] }, @@ -132,7 +136,9 @@ "influencers": [ "process.name", "user.entity.id_computed", + "user.name", "host.entity.id_computed", + "host.name", "process.command_line" ] }, @@ -169,7 +175,9 @@ "process.parent.name", "process.command_line", "host.entity.id_computed", - "user.entity.id_computed" + "host.name", + "user.entity.id_computed", + "user.name" ] }, "data_description": { @@ -210,7 +218,9 @@ "influencers": [ "process.name", "user.entity.id_computed", + "user.name", "host.entity.id_computed", + "host.name", "process.command_line" ] }, @@ -254,7 +264,9 @@ "process.parent.name", "process.command_line", "host.entity.id_computed", - "user.entity.id_computed" + "host.name", + "user.entity.id_computed", + "user.name" ] }, "data_description": { @@ -630,4 +642,4 @@ }, "references": [], "type": "ml-module" -} \ No newline at end of file +} From 4688350562681ee368402d465b9c32ee85062dc9 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 9 Mar 2026 09:42:35 -0500 Subject: [PATCH 07/44] update ML anomalies datastream index pattern --- packages/ded/docs/README.md | 2 +- packages/hta/docs/README.md | 2 +- packages/lmd/docs/README.md | 2 +- packages/pad/docs/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 046c68cbfbf..01eeebcd470 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -25,7 +25,7 @@ For more detailed information refer to the following blog: 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index c568e1cb29b..ac868febb18 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -9,7 +9,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 1ae8da40d45..3a24709394f 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -26,7 +26,7 @@ For more detailed information refer to the following blogs: 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 660cef437b6..7f6a47efb31 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -76,7 +76,7 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` From 8447f3e1f1de96b42e037b99bcd19639cc84b72c Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 9 Mar 2026 14:54:50 -0500 Subject: [PATCH 08/44] rename files for EA changes --- .../fields/fields.yml | 0 .../transform.yml | 0 ...c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json} | 6 +- ...-c3773b23-471c-4168-bb02-90489161ce51.json | 122 ++++++++++++++++++ ...-9ab90b79-7549-4329-98a4-37262834d875.json | 122 ------------------ .../fields/fields.yml | 0 .../transform.yml | 0 ...17fea180-8c4c-11ed-bb03-41a73f349362.json} | 6 +- .../fields/fields.yml | 0 .../transform.yml | 0 .../fields/fields.yml | 0 .../transform.yml | 0 ...-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json | 87 +++++++++++++ ...-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json | 67 ++++++++++ ...-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json | 72 +++++++++++ ...-46fd7fd1-4e75-4750-8367-56761cefd762.json | 87 ------------- ...-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json | 67 ---------- ...-97d27aca-2fbf-4a28-8eb6-279caa008eef.json | 72 ----------- 18 files changed, 354 insertions(+), 354 deletions(-) rename packages/ded/elasticsearch/transform/{pivot_transform_euid => pivot_transform_ea}/fields/fields.yml (100%) rename packages/ded/elasticsearch/transform/{pivot_transform_euid => pivot_transform_ea}/transform.yml (100%) rename packages/ded/kibana/dashboard/{ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json => ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json} (92%) create mode 100644 packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json delete mode 100644 packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json rename packages/lmd/elasticsearch/transform/{pivot_transform_euid => pivot_transform_ea}/fields/fields.yml (100%) rename packages/lmd/elasticsearch/transform/{pivot_transform_euid => pivot_transform_ea}/transform.yml (100%) rename packages/lmd/kibana/dashboard/{lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json => lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json} (89%) rename packages/pad/elasticsearch/transform/{pivot_transform_okta_sessions_euid => pivot_transform_okta_sessions_ea}/fields/fields.yml (100%) rename packages/pad/elasticsearch/transform/{pivot_transform_okta_sessions_euid => pivot_transform_okta_sessions_ea}/transform.yml (100%) rename packages/pad/elasticsearch/transform/{pivot_transform_win_privilege_list_euid => pivot_transform_win_privilege_list_ea}/fields/fields.yml (100%) rename packages/pad/elasticsearch/transform/{pivot_transform_win_privilege_list_euid => pivot_transform_win_privilege_list_ea}/transform.yml (100%) create mode 100644 packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json create mode 100644 packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json create mode 100644 packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json delete mode 100644 packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json delete mode 100644 packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json delete mode 100644 packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json diff --git a/packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml similarity index 100% rename from packages/ded/elasticsearch/transform/pivot_transform_euid/fields/fields.yml rename to packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml diff --git a/packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml similarity index 100% rename from packages/ded/elasticsearch/transform/pivot_transform_euid/transform.yml rename to packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml diff --git a/packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json b/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json similarity index 92% rename from packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json rename to packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json index 055790befc2..b9b848de667 100644 --- a/packages/ded/kibana/dashboard/ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f.json +++ b/packages/ded/kibana/dashboard/ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json @@ -3,7 +3,7 @@ "description": "This dashboard provides an overview of anomalies found for Data Exfiltration Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"ded_high_sent_bytes_destination_geo_country_iso_code_euid\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_airdrop_euid\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_euid\\\" or job_id: \\\"ded_rare_process_writing_to_external_device_euid\\\" or job_id: \\\"ded_high_sent_bytes_destination_ip_euid\\\" or job_id : \\\"ded_high_sent_bytes_destination_port_euid\\\" or job_id: \\\"ded_high_sent_bytes_destination_region_name_euid\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"high-sent-bytes-destination-geo-country_iso_code\\\" or job_id: \\\"high-bytes-written-to-external-device-airdrop\\\" or job_id: \\\"high-bytes-written-to-external-device\\\" or job_id: \\\"rare-process-writing-to-external-device\\\" or job_id: \\\"high-sent-bytes-destination-ip\\\" or job_id : \\\"high-sent-bytes-destination-port\\\" or job_id: \\\"high-sent-bytes-destination-region_name\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":16,\"h\":8,\"i\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\"},\"panelIndex\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"7236397d-5baf-4a72-b0ca-eb888f30103b\",\"accessor\":\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7236397d-5baf-4a72-b0ca-eb888f30103b\":{\"columns\":{\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":23,\"h\":15,\"i\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\"},\"panelIndex\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b04943cf-244d-4202-a241-5016f157fcf3\",\"isTransposed\":false},{\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\",\"isTransposed\":false}],\"layerId\":\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\":{\"columns\":{\"b04943cf-244d-4202-a241-5016f157fcf3\":{\"label\":\"host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"632aca7c-068e-42ca-ad9b-0533ab38d466\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b04943cf-244d-4202-a241-5016f157fcf3\",\"632aca7c-068e-42ca-ad9b-0533ab38d466\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Hosts Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":15,\"i\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\"},\"panelIndex\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"daaccc7d-bf90-4a63-848e-6181389ee601\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"baa67605-1ebc-418d-bd21-8254b22c0faf\"},{\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daaccc7d-bf90-4a63-848e-6181389ee601\":{\"columns\":{\"baa67605-1ebc-418d-bd21-8254b22c0faf\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"baa67605-1ebc-418d-bd21-8254b22c0faf\",\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Processes Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":23,\"h\":15,\"i\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\"},\"panelIndex\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"f3be7369-746c-4e7e-b75d-c431d55783ec\"},{\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d052422b-7069-4cc7-938c-a7802f3eb8cb\":{\"columns\":{\"f3be7369-746c-4e7e-b75d-c431d55783ec\":{\"label\":\"host.name > user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"524a43f5-836a-4bca-9631-de7fa1e4335d\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f3be7369-746c-4e7e-b75d-c431d55783ec\",\"524a43f5-836a-4bca-9631-de7fa1e4335d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 User-Host Combinations Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":23,\"w\":25,\"h\":15,\"i\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\"},\"panelIndex\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsChoropleth\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f97661af-4480-48ea-85a1-33c65e062d97\",\"layerType\":\"data\",\"regionAccessor\":\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"valueAccessor\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f97661af-4480-48ea-85a1-33c65e062d97\":{\"columns\":{\"6fac8510-1db9-4b36-bb2a-737f6782ef33\":{\"label\":\" destination.geo.country_iso_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_iso_code\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Geo Locations Associated with Data Exfiltration Activity by ISO Code\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":13,\"i\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\"},\"panelIndex\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"isTransposed\":false},{\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\",\"isTransposed\":false}],\"layerId\":\"11e91ade-6c94-46e8-96e7-592f5e522898\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11e91ade-6c94-46e8-96e7-592f5e522898\":{\"columns\":{\"fa763272-957c-4ed5-a494-8ee580023bcc\":{\"label\":\"File name > File path > External device type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file.path\",\"file.Ext.device.bus_type\"]},\"customLabel\":true},\"429585bf-154f-49ec-97cd-009752a01a59\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"429585bf-154f-49ec-97cd-009752a01a59\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 File names, File paths and External device type Combinations Associated with Data Exfiltration Activity\"}]", "timeRestore": false, - "title": "Data Exfiltration Detection Dashboard (EUID)", + "title": "Data Exfiltration Detection Dashboard", "version": 2 }, "coreMigrationVersion": "8.5.1", - "id": "ded-euid-c618bd39-b2ed-4c26-8f5e-2c61777b127f", + "id": "ded-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6", "migrationVersion": { "dashboard": "8.5.0" }, diff --git a/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json b/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json new file mode 100644 index 00000000000..86997952949 --- /dev/null +++ b/packages/hta/kibana/dashboard/hta-c3773b23-471c-4168-bb02-90489161ce51.json @@ -0,0 +1,122 @@ +{ + "id": "hta-c3773b23-471c-4168-bb02-90489161ce51", + "type": "dashboard", + "coreMigrationVersion": "8.8.0", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "attributes": { + "version": 1, + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", + "timeRestore": false, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name\\n- low_count_events_for_a_host_name\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link 🔗](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name\",\"high_count_events_for_a_host_name\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name\\\" or \\\"low_count_events_for_a_host_name\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", + "title": "Host Traffic Anomalies" + }, + "references": [ + { + "type": "index-pattern", + "id": "logs-*", + "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" + }, + { + "type": "index-pattern", + "id": "logs-*", + "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" + }, + { + "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "type": "tag", + "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", + "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" + } + ] +} \ No newline at end of file diff --git a/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json b/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json deleted file mode 100644 index e9a21070420..00000000000 --- a/packages/hta/kibana/dashboard/hta-euid-9ab90b79-7549-4329-98a4-37262834d875.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "id": "hta-euid-9ab90b79-7549-4329-98a4-37262834d875", - "type": "dashboard", - "coreMigrationVersion": "8.8.0", - "migrationVersion": { - "dashboard": "8.9.0" - }, - "attributes": { - "version": 1, - "controlGroupInput": { - "controlStyle": "oneLine", - "chainingSystem": "HIERARCHICAL", - "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" - }, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", - "timeRestore": false, - "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", - "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name_euid\\n- low_count_events_for_a_host_name_euid\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link 🔗](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name_euid\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name_euid\",\"high_count_events_for_a_host_name_euid\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name_euid\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name_euid\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_euid\\\" or \\\"low_count_events_for_a_host_name_euid\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", - "title": "Host Traffic Anomalies (EUID)" - }, - "references": [ - { - "type": "index-pattern", - "id": "logs-*", - "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" - }, - { - "type": "index-pattern", - "id": "logs-*", - "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" - }, - { - "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", - "type": "index-pattern", - "id": "logs-*" - }, - { - "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", - "type": "index-pattern", - "id": "logs-*" - }, - { - "type": "tag", - "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", - "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" - } - ] -} \ No newline at end of file diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml similarity index 100% rename from packages/lmd/elasticsearch/transform/pivot_transform_euid/fields/fields.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml similarity index 100% rename from packages/lmd/elasticsearch/transform/pivot_transform_euid/transform.yml rename to packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml diff --git a/packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json b/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json similarity index 89% rename from packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json rename to packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json index 207a85f41d0..8c05acfdad0 100644 --- a/packages/lmd/kibana/dashboard/lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9.json +++ b/packages/lmd/kibana/dashboard/lmd-17fea180-8c4c-11ed-bb03-41a73f349362.json @@ -3,7 +3,7 @@ "description": "This dashboard provides an overview of anomalies found for Lateral Movement Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"lmd_high_count_remote_file_transfer_euid\\\" or job_id:\\\"lmd_high_file_size_remote_file_transfer_euid\\\" or job_id:\\\"lmd_rare_file_extension_remote_transfer_euid\\\" or job_id :\\\"lmd_rare_file_path_remote_transfer_euid\\\" or job_id :\\\"lmd_high_mean_rdp_session_duration_euid\\\" or job_id :\\\"lmd_high_var_rdp_session_duration_euid\\\" or job_id :\\\"lmd_high_sum_rdp_number_of_processes_euid\\\" or job_id :\\\"lmd_high_rdp_distinct_count_source_ip_for_destination_euid\\\" or job_id :\\\"lmd_high_rdp_distinct_count_destination_ip_for_source_euid\\\" or job_id :\\\"lmd_unusual_time_weekday_rdp_session_start_euid\\\" or job_id :\\\"lmd_high_mean_rdp_process_args_euid\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"high-count-remote-file-transfer\\\" or job_id:\\\"high-file-size-remote-file-transfer\\\" or job_id:\\\"rare-file-extension-remote-transfer\\\" or job_id :\\\"rare-file-path-remote-transfer\\\" or job_id :\\\"high-mean-rdp-session-duration\\\" or job_id :\\\"high-var-rdp-session-duration\\\" or job_id :\\\"high-sum-rdp-number-of-processes\\\" or job_id :\\\"high-rdp-distinct-count-source-ip-for-destination\\\" or job_id :\\\"high-rdp-distinct-count-destination-ip-for-source\\\" or job_id :\\\"unusual-time-weekday-rdp-session-start\\\" or job_id :\\\"high-mean-rdp-process-args\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -13,11 +13,11 @@ }, "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":10,\"i\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\"},\"panelIndex\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443\"}],\"state\":{\"visualization\":{\"layerId\":\"fb918fff-0676-4792-9732-8fbe6db41443\",\"accessor\":\"3e03ad31-53f7-4def-b8e4-4192da864d19\",\"layerType\":\"data\",\"colorMode\":\"None\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fb918fff-0676-4792-9732-8fbe6db41443\":{\"columns\":{\"3e03ad31-53f7-4def-b8e4-4192da864d19\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3e03ad31-53f7-4def-b8e4-4192da864d19\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":10,\"i\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\"},\"panelIndex\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\",\"accessors\":[\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\":{\"columns\":{\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\":{\"label\":\"Count of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\",\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total anomalies associated with lateral movement activity per day\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\"},\"panelIndex\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"isTransposed\":false},{\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\",\"isTransposed\":false}],\"layerId\":\"6c1a1848-2234-42b9-b1fe-e41fca887639\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c1a1848-2234-42b9-b1fe-e41fca887639\":{\"columns\":{\"909d15b9-b715-43ef-81ba-0dcf9701ff85\":{\"label\":\"Host name > User name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"320f61a2-071f-4023-b51f-fc744c040995\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"320f61a2-071f-4023-b51f-fc744c040995\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 host and user names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":15,\"i\":\"636abb14-59a8-4a1e-a426-5db922669b22\"},\"panelIndex\":\"636abb14-59a8-4a1e-a426-5db922669b22\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"isTransposed\":false},{\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\",\"isTransposed\":false}],\"layerId\":\"188c9419-9baa-4af7-846c-d2fe2c838eb1\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"188c9419-9baa-4af7-846c-d2fe2c838eb1\":{\"columns\":{\"2ea20970-94b6-42d3-bded-af75d15d6708\":{\"label\":\"Process name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"4ccfc545-539c-43f5-ac35-cf6800bcd970\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 process names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":12,\"i\":\"d38dee87-a80a-4613-ae67-455886f1097e\"},\"panelIndex\":\"d38dee87-a80a-4613-ae67-455886f1097e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\",\"accessors\":[\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\":{\"columns\":{\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\":{\"label\":\"File name > File directory\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file_directory\"]},\"customLabel\":true},\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\",\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 combination of file names and directories affected by lateral movement activity\"}]", "timeRestore": false, - "title": "Lateral Movement Detection Dashboard (EUID)", + "title": "Lateral Movement Detection Dashboard", "version": 2 }, "coreMigrationVersion": "8.5.1", - "id": "lmd-euid-55567824-b381-4253-a7cc-d22e630a91c9", + "id": "lmd-17fea180-8c4c-11ed-bb03-41a73f349362", "migrationVersion": { "dashboard": "8.5.0" }, diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml similarity index 100% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml similarity index 100% rename from packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_euid/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml similarity index 100% rename from packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/fields/fields.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml similarity index 100% rename from packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_euid/transform.yml rename to packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml diff --git a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json new file mode 100644 index 00000000000..b65abbbed28 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Windows]", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c969fd47-15df-4011-8fa3-2a27825ad0f6:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "26531c0e-a776-4e6f-badd-8766f77d9134:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271a8d58-3d1b-44d9-93da-338c9f91867a:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "502e0249-fc8c-4d26-8f1e-d8f434d8e7c7:indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "920f2dd3-3628-4298-866a-da34c82431c2:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "02255922-d40f-4757-92c2-b53596a73f5e:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5318144f-ddf3-4f86-919f-0192feec779f:indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0d20b661-2d10-4b29-8c22-74411dd468cb:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "8c0e0fe0-dbe3-4444-a341-b57559b4a7c0:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "2762a942-0d53-4420-82c2-72bd991e7e7d:indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json b/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json new file mode 100644 index 00000000000..34c7fb74868 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Linux logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user\\\" or \\\"pad_linux_rare_process_executed_by_user\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user\",\"pad_linux_high_median_process_command_line_entropy_by_user\",\"pad_linux_rare_process_executed_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_median_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Linux]", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5f659483-b424-415f-aea1-c36bd1f65b0a:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5183abf0-ed13-455e-9f43-4f03c1d8738f:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "69788132-8446-4d88-baef-81dbb0c34bbb:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fa9be72f-18d4-4054-85a1-6c35f3a44406:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "437c12af-ddd9-4ffa-a43f-df5693028ae3:indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a86a0e06-7e5c-4cf5-9e52-884a1b83f00d:indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ef4641fe-8802-4ca1-aae2-e4a7fdf80c25:indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json b/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json new file mode 100644 index 00000000000..de3024fad67 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Okta system logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes\\\" or \\\"pad_okta_spike_in_group_privilege_changes\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user\\\" or \\\"pad_okta_rare_source_ip_by_user\\\" or \\\"pad_okta_rare_region_name_by_user\\\" or \\\"pad_okta_rare_host_name_by_user\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user\",\"pad_okta_rare_host_name_by_user\",\"pad_okta_rare_region_name_by_user\",\"pad_okta_rare_source_ip_by_user\",\"pad_okta_spike_in_group_application_assignment_changes\",\"pad_okta_spike_in_group_lifecycle_changes\",\"pad_okta_spike_in_group_membership_changes\",\"pad_okta_spike_in_group_privilege_changes\",\"pad_okta_spike_in_user_lifecycle_management_changes\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user, pad_okta_rare_host_name_by_user, pad_okta_rare_region_name_by_user, pad_okta_rare_source_ip_by_user, pad_okta_spike_in_group_application_assignment_changes, pad_okta_spike_in_group_lifecycle_changes, pad_okta_spike_in_group_membership_changes, pad_okta_spike_in_group_privilege_changes, pad_okta_spike_in_user_lifecycle_management_changes\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Okta]", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-aea2c9d3-c841-4466-8c61-c0ffbf6ac976", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "9102c38b-a4e9-4219-97f8-b2e000bd3af6:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c2594a80-809a-4db9-949f-c23de974e903:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fe8ca082-0cbb-4e64-87c0-71b580b22776:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "87db855a-4b1c-43b0-92f7-23d991abc98d:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "64a3d12e-87fc-4161-86bf-d10e47cb2131:indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "27b2661e-490f-4f5c-80b5-7021b64528da:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1f7cd6af-eee1-4456-a555-e257acb9dbae:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "151ae1ee-f82f-4233-8901-4b54548fa92f:indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json b/packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json deleted file mode 100644 index e8cac77a6f7..00000000000 --- a/packages/pad/kibana/dashboard/pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_euid\\\" or \\\"pad_windows_high_count_special_logon_events_euid\\\" or \\\"pad_windows_high_count_special_privilege_use_events_euid\\\" or \\\"pad_windows_high_count_user_account_management_events_euid\\\" or \\\"pad_windows_rare_device_by_user_euid\\\" or \\\"pad_windows_rare_group_name_by_user_euid\\\" or \\\"pad_windows_rare_source_ip_by_user_euid\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_euid\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_euid\",\"pad_windows_high_count_special_logon_events_euid\",\"pad_windows_high_count_special_privilege_use_events_euid\",\"pad_windows_high_count_user_account_management_events_euid\",\"pad_windows_rare_device_by_user_euid\",\"pad_windows_rare_group_name_by_user_euid\",\"pad_windows_rare_privilege_assigned_to_user_euid\",\"pad_windows_rare_region_name_by_user_euid\",\"pad_windows_rare_source_ip_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", - "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Windows] (EUID)", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "id": "pad-euid-46fd7fd1-4e75-4750-8367-56761cefd762", - "migrationVersion": { - "dashboard": "8.9.0" - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern", - "id": ".ml-anomalies-shared" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c969fd47-15df-4011-8fa3-2a27825ad0f6:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "26531c0e-a776-4e6f-badd-8766f77d9134:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "271a8d58-3d1b-44d9-93da-338c9f91867a:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "502e0249-fc8c-4d26-8f1e-d8f434d8e7c7:indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "920f2dd3-3628-4298-866a-da34c82431c2:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "02255922-d40f-4757-92c2-b53596a73f5e:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "5318144f-ddf3-4f86-919f-0192feec779f:indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "0d20b661-2d10-4b29-8c22-74411dd468cb:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "8c0e0fe0-dbe3-4444-a341-b57559b4a7c0:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "2762a942-0d53-4420-82c2-72bd991e7e7d:indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json b/packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json deleted file mode 100644 index 73a7d245453..00000000000 --- a/packages/pad/kibana/dashboard/pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "This dashboard offers an overview of anomalies identified in Linux logs by the Privileged Access Detection package.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user_euid\\\" or \\\"pad_linux_rare_process_executed_by_user_euid\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user_euid\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user_euid\",\"pad_linux_high_median_process_command_line_entropy_by_user_euid\",\"pad_linux_rare_process_executed_by_user_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_euid, pad_linux_high_median_process_command_line_entropy_by_user_euid, pad_linux_rare_process_executed_by_user_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", - "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Linux] (EUID)", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "id": "pad-euid-8ff48325-ebf8-4777-9ef1-3b6d160e220a", - "migrationVersion": { - "dashboard": "8.9.0" - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern", - "id": ".ml-anomalies-shared" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "5f659483-b424-415f-aea1-c36bd1f65b0a:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "5183abf0-ed13-455e-9f43-4f03c1d8738f:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "69788132-8446-4d88-baef-81dbb0c34bbb:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "fa9be72f-18d4-4054-85a1-6c35f3a44406:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "437c12af-ddd9-4ffa-a43f-df5693028ae3:indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "a86a0e06-7e5c-4cf5-9e52-884a1b83f00d:indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "ef4641fe-8802-4ca1-aae2-e4a7fdf80c25:indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json b/packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json deleted file mode 100644 index 03854a8fc27..00000000000 --- a/packages/pad/kibana/dashboard/pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "This dashboard offers an overview of anomalies identified in Okta system logs by the Privileged Access Detection package.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes_euid\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes_euid\\\" or \\\"pad_okta_spike_in_group_privilege_changes_euid\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes_euid\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes_euid\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user_euid\\\" or \\\"pad_okta_rare_source_ip_by_user_euid\\\" or \\\"pad_okta_rare_region_name_by_user_euid\\\" or \\\"pad_okta_rare_host_name_by_user_euid\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user_euid\",\"pad_okta_rare_host_name_by_user_euid\",\"pad_okta_rare_region_name_by_user_euid\",\"pad_okta_rare_source_ip_by_user_euid\",\"pad_okta_spike_in_group_application_assignment_changes_euid\",\"pad_okta_spike_in_group_lifecycle_changes_euid\",\"pad_okta_spike_in_group_membership_changes_euid\",\"pad_okta_spike_in_group_privilege_changes_euid\",\"pad_okta_spike_in_user_lifecycle_management_changes_euid\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user_euid, pad_okta_rare_host_name_by_user_euid, pad_okta_rare_region_name_by_user_euid, pad_okta_rare_source_ip_by_user_euid, pad_okta_spike_in_group_application_assignment_changes_euid, pad_okta_spike_in_group_lifecycle_changes_euid, pad_okta_spike_in_group_membership_changes_euid, pad_okta_spike_in_group_privilege_changes_euid, pad_okta_spike_in_user_lifecycle_management_changes_euid\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", - "timeRestore": false, - "title": "Privileged Access Detection Dashboard [Okta] (EUID)", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "id": "pad-euid-97d27aca-2fbf-4a28-8eb6-279caa008eef", - "migrationVersion": { - "dashboard": "8.9.0" - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern", - "id": ".ml-anomalies-shared" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "9102c38b-a4e9-4219-97f8-b2e000bd3af6:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "c2594a80-809a-4db9-949f-c23de974e903:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "fe8ca082-0cbb-4e64-87c0-71b580b22776:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "87db855a-4b1c-43b0-92f7-23d991abc98d:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "64a3d12e-87fc-4161-86bf-d10e47cb2131:indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "27b2661e-490f-4f5c-80b5-7021b64528da:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "1f7cd6af-eee1-4456-a555-e257acb9dbae:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" - }, - { - "type": "index-pattern", - "id": ".ml-anomalies-shared", - "name": "151ae1ee-f82f-4233-8901-4b54548fa92f:indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318" - } - ], - "type": "dashboard" -} \ No newline at end of file From f26acb57dc218060a82c72ebf34d14aba2e2f309 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 9 Mar 2026 14:56:37 -0500 Subject: [PATCH 09/44] rollback EUID changes, add required fields for entity resolution, change documentation --- packages/ded/changelog.yml | 2 +- packages/ded/docs/README.md | 62 +- .../pivot_transform_ea/fields/fields.yml | 8 +- .../pivot_transform_ea/transform.yml | 19 +- ...-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json | 57 + packages/ded/kibana/ml_module/ded-ml.json | 1175 ++-- packages/dga/changelog.yml | 2 +- packages/dga/docs/README.md | 12 +- packages/dga/kibana/ml_module/dga-ml.json | 227 +- packages/hta/changelog.yml | 2 +- packages/hta/docs/README.md | 2 +- packages/lmd/changelog.yml | 2 +- packages/lmd/docs/README.md | 74 +- .../pivot_transform_ea/fields/fields.yml | 8 +- .../pivot_transform_ea/transform.yml | 15 +- ...-17fea180-8c4c-11ed-bb03-41a73f349362.json | 52 + packages/lmd/kibana/ml_module/lmd-ml.json | 1889 +++---- packages/pad/changelog.yml | 2 +- packages/pad/docs/README.md | 120 +- .../fields/fields.yml | 4 +- .../transform.yml | 14 +- .../fields/fields.yml | 8 +- .../transform.yml | 22 +- ...-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json | 87 + ...-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json | 67 + ...-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json | 72 + packages/pad/kibana/ml_module/pad-ml.json | 4982 ++++++++--------- packages/problemchild/changelog.yml | 2 +- packages/problemchild/docs/README.md | 32 +- .../kibana/ml_module/problemchild-ml.json | 1192 ++-- 30 files changed, 5122 insertions(+), 5090 deletions(-) create mode 100644 packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json create mode 100644 packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json create mode 100644 packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json create mode 100644 packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json create mode 100644 packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index 8563196b5b1..e101485743e 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,6 +1,6 @@ - version: "3.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "2.4.1" diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 01eeebcd470..57caf345ba8 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -13,19 +13,19 @@ For more detailed information refer to the following blog: 1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Data Exfiltration Detection**. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) 1. **Install assets**: Install the assets by clicking **Settings > Install Data Exfiltration Detection assets**. -1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded_euid-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform_euid-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. -1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded_euid.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded_ea-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform_ea-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. +1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded_ea.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded_euid.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded_ea.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded_euid.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded_ea.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared*` + - Index pattern : `.ml-anomalies-shared` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` @@ -42,18 +42,18 @@ To inspect the installed assets, you can navigate to **Stack Management > Data > | Transform name | Purpose | Source index | Destination index | Alias | | ------------------- | ------------------------------------------- | ------------ | ------------------------ | ------------------ | -| ded.pivot_transform_euid | Collects network logs from your environment | logs-* | ml_network_ded_euid-[version] | ml_network_ded_euid.all | +| ded.pivot_transform_ea | Collects network logs from your environment | logs-* | ml_network_ded_ea-[version] | ml_network_ded_ea.all | **Note**: The transform applies only to network data and does not currently support macOS network logs. -When querying the destination index (`ml_network_ded_euid-`) for network logs, we advise using the alias for the destination index (`ml_network_ded_euid.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination index (`ml_network_ded_ea-`) for network logs, we advise using the alias for the destination index (`ml_network_ded_ea.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Data Exfiltration Detection Transform To customize filters in the Data Exfiltration Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `source.ip`, `destination.ip`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Data Exfiltration Detection transform](../img/ded_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform_euid-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-ded.pivot_transform_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Data Exfiltration Detection transform](../img/ded_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -71,13 +71,13 @@ After the data view for the dashboard is configured, the **Data Exfiltration Det | Job | Description | Supported Platform | Event Category | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------ | ----- | -| ded_high_sent_bytes_destination_geo_country_iso_code_euid | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | -| ded_high_sent_bytes_destination_ip_euid | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | -| ded_high_sent_bytes_destination_port_euid | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | -| ded_high_sent_bytes_destination_region_name_euid | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | -| ded_high_bytes_written_to_external_device_euid | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | -| ded_rare_process_writing_to_external_device_euid | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | -| ded_high_bytes_written_to_external_device_airdrop_euid | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | +| ded_high_sent_bytes_destination_geo_country_iso_code_ea | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | +| ded_high_sent_bytes_destination_ip_ea | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | +| ded_high_sent_bytes_destination_port_ea | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | +| ded_high_sent_bytes_destination_region_name_ea | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | +| ded_high_bytes_written_to_external_device_ea | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | +| ded_rare_process_writing_to_external_device_ea | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | +| ded_high_bytes_written_to_external_device_airdrop_ea | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | ## Customize ML jobs for Data Exfiltration Detection @@ -98,24 +98,24 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. +v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. - We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. -- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - -The new EUID ML job IDs are: -- `ded_high_sent_bytes_destination_geo_country_iso_code_euid` -- `ded_high_sent_bytes_destination_ip_euid` -- `ded_high_sent_bytes_destination_port_euid` -- `ded_high_sent_bytes_destination_region_name_euid` -- `ded_high_bytes_written_to_external_device_euid` -- `ded_rare_process_writing_to_external_device_euid` -- `ded_high_bytes_written_to_external_device_airdrop_euid` - -The new EUID transforms are: -- `ded.pivot_transform_euid` → destination index: `ml_network_ded_euid-3.0.0`, alias: `ml_network_ded_euid.latest`, `ml_network_ded_euid.all` +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new Entity Analytics ML job IDs are: +- `ded_high_sent_bytes_destination_geo_country_iso_code_ea` +- `ded_high_sent_bytes_destination_ip_ea` +- `ded_high_sent_bytes_destination_port_ea` +- `ded_high_sent_bytes_destination_region_name_ea` +- `ded_high_bytes_written_to_external_device_ea` +- `ded_rare_process_writing_to_external_device_ea` +- `ded_high_bytes_written_to_external_device_airdrop_ea` + +The new Entity Analytics transforms are: +- `ded.pivot_transform_ea` → destination index: `ml_network_ded_ea-3.0.0`, alias: `ml_network_ded_ea.latest`, `ml_network_ded_ea.all` ## v2.0.0 and beyond diff --git a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index ccbb38276e7..45c7074f3b2 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,6 +1,8 @@ -- name: user.entity.id_computed - type: keyword -- name: host.entity.id_computed +- external: ecs + name: host.name +- external: ecs + name: user.name +- name: event.module type: keyword - external: ecs name: event.category diff --git a/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml index 3cf9b69c8b5..11f8b506a20 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -1,10 +1,10 @@ dest: - index: ml_network_ded_euid-3.0.0 + index: ml_network_ded_ea-3.0.0 aliases: - - alias: ml_network_ded_euid.latest + - alias: ml_network_ded_ea.latest move_on_creation: true - - alias: ml_network_ded_euid.all + - alias: ml_network_ded_ea.all move_on_creation: false pipeline: 3.0.0-ml_ded_ingest_pipeline description: This transform runs every 30 minutes and collects network logs to detect data exfiltration in your environment for the past month up to the runtime. @@ -18,14 +18,15 @@ pivot: avg: field: source.bytes group_by: - 'host.entity.id_computed': + 'host.name': terms: - script: - id: euid_host_entity - 'user.entity.id_computed': + field: host.name + 'user.name': terms: - script: - id: euid_user_entity + field: user.name + event.module: + terms: + field: event.module 'network.direction': terms: field: network.direction diff --git a/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json b/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json new file mode 100644 index 00000000000..7cbe381ad3c --- /dev/null +++ b/packages/ded/kibana/dashboard/ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "This dashboard provides an overview of anomalies found for Data Exfiltration Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id: \\\"ded_high_sent_bytes_destination_geo_country_iso_code_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_airdrop_ea\\\" or job_id: \\\"ded_high_bytes_written_to_external_device_ea\\\" or job_id: \\\"ded_rare_process_writing_to_external_device_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_ip_ea\\\" or job_id : \\\"ded_high_sent_bytes_destination_port_ea\\\" or job_id: \\\"ded_high_sent_bytes_destination_region_name_ea\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":16,\"h\":8,\"i\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\"},\"panelIndex\":\"109fb1af-bae3-45a3-8284-8206b08ca0ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"7236397d-5baf-4a72-b0ca-eb888f30103b\",\"accessor\":\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7236397d-5baf-4a72-b0ca-eb888f30103b\":{\"columns\":{\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6c8e42f3-f21c-4c6b-b9a1-2d855f08ee8f\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":23,\"h\":15,\"i\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\"},\"panelIndex\":\"218d787c-8b8a-4c8d-9597-89fde21e354e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b04943cf-244d-4202-a241-5016f157fcf3\",\"isTransposed\":false},{\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\",\"isTransposed\":false}],\"layerId\":\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4abb92df-6c5d-4ff8-a859-fc293ce60e70\":{\"columns\":{\"b04943cf-244d-4202-a241-5016f157fcf3\":{\"label\":\"host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"632aca7c-068e-42ca-ad9b-0533ab38d466\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"632aca7c-068e-42ca-ad9b-0533ab38d466\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b04943cf-244d-4202-a241-5016f157fcf3\",\"632aca7c-068e-42ca-ad9b-0533ab38d466\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Hosts Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":15,\"i\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\"},\"panelIndex\":\"b7d80672-3c60-441e-9edb-b05fa96e88d1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"daaccc7d-bf90-4a63-848e-6181389ee601\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"baa67605-1ebc-418d-bd21-8254b22c0faf\"},{\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daaccc7d-bf90-4a63-848e-6181389ee601\":{\"columns\":{\"baa67605-1ebc-418d-bd21-8254b22c0faf\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"baa67605-1ebc-418d-bd21-8254b22c0faf\",\"acf8d722-a0dd-4eb9-9fac-1d784fc668fa\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Processes Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":23,\"w\":23,\"h\":15,\"i\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\"},\"panelIndex\":\"ff5d0e30-1f8f-4577-bd30-8458a3d3f93c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"d052422b-7069-4cc7-938c-a7802f3eb8cb\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"f3be7369-746c-4e7e-b75d-c431d55783ec\"},{\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d052422b-7069-4cc7-938c-a7802f3eb8cb\":{\"columns\":{\"f3be7369-746c-4e7e-b75d-c431d55783ec\":{\"label\":\"host.name > user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"524a43f5-836a-4bca-9631-de7fa1e4335d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"524a43f5-836a-4bca-9631-de7fa1e4335d\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"f3be7369-746c-4e7e-b75d-c431d55783ec\",\"524a43f5-836a-4bca-9631-de7fa1e4335d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 User-Host Combinations Associated with Data Exfiltration Activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":23,\"w\":25,\"h\":15,\"i\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\"},\"panelIndex\":\"cb0d405a-f0d2-4328-a3bc-d50e842749f3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsChoropleth\",\"type\":\"lens\",\"references\":[{\"name\":\"indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97\",\"id\":\".ml-anomalies-shared\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f97661af-4480-48ea-85a1-33c65e062d97\",\"layerType\":\"data\",\"regionAccessor\":\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"valueAccessor\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f97661af-4480-48ea-85a1-33c65e062d97\":{\"columns\":{\"6fac8510-1db9-4b36-bb2a-737f6782ef33\":{\"label\":\" destination.geo.country_iso_code\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_iso_code\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"6fac8510-1db9-4b36-bb2a-737f6782ef33\",\"178e2b00-2c49-4971-bd7b-f6acc6d00cf6\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 Geo Locations Associated with Data Exfiltration Activity by ISO Code\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":13,\"i\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\"},\"panelIndex\":\"c2a276c9-b22f-4791-afd6-e0eee9b6cc05\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"isTransposed\":false},{\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\",\"isTransposed\":false}],\"layerId\":\"11e91ade-6c94-46e8-96e7-592f5e522898\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"11e91ade-6c94-46e8-96e7-592f5e522898\":{\"columns\":{\"fa763272-957c-4ed5-a494-8ee580023bcc\":{\"label\":\"File name > File path > External device type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"429585bf-154f-49ec-97cd-009752a01a59\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file.path\",\"file.Ext.device.bus_type\"]},\"customLabel\":true},\"429585bf-154f-49ec-97cd-009752a01a59\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"fa763272-957c-4ed5-a494-8ee580023bcc\",\"429585bf-154f-49ec-97cd-009752a01a59\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 File names, File paths and External device type Combinations Associated with Data Exfiltration Activity\"}]", + "timeRestore": false, + "title": "Data Exfiltration Detection Dashboard (Entity Analytics)", + "version": 2 + }, + "coreMigrationVersion": "8.5.1", + "id": "ded-ea-c0d7f060-7a6b-11ed-9b26-4bb95b2c57a6", + "migrationVersion": { + "dashboard": "8.5.0" + }, + "references": [ + { + "id": ".ml-anomalies-shared", + "name": "109fb1af-bae3-45a3-8284-8206b08ca0ca:indexpattern-datasource-layer-7236397d-5baf-4a72-b0ca-eb888f30103b", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "218d787c-8b8a-4c8d-9597-89fde21e354e:indexpattern-datasource-layer-4abb92df-6c5d-4ff8-a859-fc293ce60e70", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "b7d80672-3c60-441e-9edb-b05fa96e88d1:indexpattern-datasource-layer-daaccc7d-bf90-4a63-848e-6181389ee601", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "ff5d0e30-1f8f-4577-bd30-8458a3d3f93c:indexpattern-datasource-layer-d052422b-7069-4cc7-938c-a7802f3eb8cb", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "cb0d405a-f0d2-4328-a3bc-d50e842749f3:indexpattern-datasource-layer-f97661af-4480-48ea-85a1-33c65e062d97", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "c2a276c9-b22f-4791-afd6-e0eee9b6cc05:indexpattern-datasource-layer-11e91ade-6c94-46e8-96e7-592f5e522898", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index b137a5d5587..ee3acb0e55a 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -1,615 +1,586 @@ { - "attributes": { - "id": "ded-ml", - "title": "Data Exfiltration Detection", - "description": "Detects data exfiltration activity in your network and file data.", - "type": "ded", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } + "attributes": { + "id": "ded-ml", + "title": "Data Exfiltration Detection", + "description": "Detects data exfiltration activity in your network and file data.", + "type": "ded", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" } - }, - "jobs": [ - { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual country iso code", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.country_iso_code", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.continent_name", - "destination.geo.country_name", - "destination.geo.country_iso_code" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_ip_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by IP address).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual IP address", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_port_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual destination port.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual destination port", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.port", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.port" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_region_name_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by region name).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual region", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.region_name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.city_name", - "destination.geo.region_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_rare_process_writing_to_external_device_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process writing to an external device", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device using Airdrop", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "file.name", - "file.path", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination" + } } + ] } + } ], - "datafeeds": [ - { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual country iso code", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.country_iso_code", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.country_iso_code" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_ip_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by IP address).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual IP address", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_port_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual destination port.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual destination port", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.port", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.port" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_sent_bytes_destination_region_name_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by region name).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual region", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.region_name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.city_name", + "destination.geo.region_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_rare_process_writing_to_external_device_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process writing to an external device", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device using Airdrop", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_ip_euid", - "job_id": "ded_high_sent_bytes_destination_ip_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_ip_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_ip_ea", + "job_id": "ded_high_sent_bytes_destination_ip_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_ip_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_port_euid", - "job_id": "ded_high_sent_bytes_destination_port_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_port_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_port_ea", + "job_id": "ded_high_sent_bytes_destination_port_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_port_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_region_name_euid", - "job_id": "ded_high_sent_bytes_destination_region_name_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_region_name_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_region_name_ea", + "job_id": "ded_high_sent_bytes_destination_region_name_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_region_name_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_euid", - "job_id": "ded_high_bytes_written_to_external_device_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_ea", + "job_id": "ded_high_bytes_written_to_external_device_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } - }, - { - "id": "datafeed-ded_rare_process_writing_to_external_device_euid", - "job_id": "ded_rare_process_writing_to_external_device_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_rare_process_writing_to_external_device_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_rare_process_writing_to_external_device_ea", + "job_id": "ded_rare_process_writing_to_external_device_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_rare_process_writing_to_external_device_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_euid", - "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "process.name": "sharingd" - } - }, - { - "term": { - "host.os.type": "macos" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_ea", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "process.name": "sharingd" + } + }, + { + "term": { + "host.os.type": "macos" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } } + ] } - ] - }, - "id": "ded-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + } + } + } + ] + }, + "id": "ded-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index 82fe8edd8a5..e34aef18713 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "2.3.5" diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index c055711ec9b..6f630826fae 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -86,7 +86,7 @@ For more detailed information refer to the following blogs: | Job | Description | |---|---| -| dga_high_sum_probability_euid | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| +| dga_high_sum_probability_ea | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| ## Customize ML jobs for Domain Generation Algorithm Detection @@ -107,14 +107,14 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. +v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new EUID-based assets. -- On installation of this version, new ML jobs and rules that utilize EUIDs will be available. +- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new Entity Analytics assets. +- On installation of this version, new ML jobs and rules that utilize Entity Analytics will be available. - We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. -The new EUID ML job IDs are: -- `dga_high_sum_probability_euid` +The new Entity Analytics ML job IDs are: +- `dga_high_sum_probability_ea` ## v2.0.0 and beyond diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index 9f2ecb7e1dd..56a00ef7ab9 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -1,122 +1,115 @@ { - "attributes": { - "id": "dga-ml", - "title": "DGA", - "description": "Detect domain generation algorithm (DGA) activity in your network data.", - "type": "DGA", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "dga_high_sum_probability_euid", - "config": { - "groups": [ - "security", - "dga" - ], - "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "high probability of DGA activity", - "detector_index": 0, - "field_name": "ml_is_dga.malicious_probability", - "function": "high_sum", - "over_field_name": "source.ip" - } - ], - "influencers": [ - "source.ip", - "host.entity.id_computed", - "host.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-dga" - } - } + "attributes": { + "id": "dga-ml", + "title": "DGA", + "description": "Detect domain generation algorithm (DGA) activity in your network data.", + "type": "DGA", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" } + } ], - "datafeeds": [ - { - "id": "datafeed-dga_high_sum_probability_euid", - "job_id": "dga_high_sum_probability_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "dga_high_sum_probability_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "dga_high_sum_probability_ea", + "config": { + "groups": [ + "security", + "dga" + ], + "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high probability of DGA activity", + "detector_index": 0, + "field_name": "ml_is_dga.malicious_probability", + "function": "high_sum", + "over_field_name": "source.ip" + } + ], + "influencers": [ + "source.ip", + "host.name", + "host.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-dga" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-dga_high_sum_probability_ea", + "job_id": "dga_high_sum_probability_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "dga_high_sum_probability_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ] - }, - "id": "dga-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + } + } + } + ] + }, + "id": "dga-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index d7d63ec75e3..f88b08e73d9 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,6 +1,6 @@ - version: "2.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "1.0.1" diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index ac868febb18..c568e1cb29b 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -9,7 +9,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared*` + - Index pattern : `.ml-anomalies-shared` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index 5da263aa902..0eee6627a12 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "2.6.1" diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 3a24709394f..48fbd496f31 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -14,19 +14,19 @@ For more detailed information refer to the following blogs: 1. **Upgrading**: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond. 1. **Add the Integration Package**: Install the package via **Management > Integrations > Add Lateral Movement Detection**. Configure the integration name and agent policy. Click **Save and Continue**. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.) -1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd_euid`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform_euid-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd_euid`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transform**: The transform is scheduled to run every hour. This transform creates the index `ml-rdp-lmd_ea`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-lmd.pivot_transform_ea-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on two indices. One has file transfer events (`logs-*`), and the other index (`ml-rdp-lmd_ea`) collects RDP session information from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd_euid`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml-rdp-lmd_ea`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml-rdp-lmd_euid`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml-rdp-lmd_ea`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Lateral Movement Detection**. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [lmd-ml file](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json#L10). For example, this would be available in `logs-endpoint.events.*` if you used Elastic Defend to collect events. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. 1. You have started the above anomaly detection jobs. 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared*` + - Index pattern : `.ml-anomalies-shared` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` @@ -47,7 +47,7 @@ After the anomaly detectors and the data views for the dashboard are configured, To customize filters in the Lateral Movement Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp`, and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Lateral Movement Detection transform](../img/lmd_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform_euid-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-lmd.pivot_transform_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Lateral Movement Detection transform](../img/lmd_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -126,17 +126,17 @@ Detects potential lateral movement activity by identifying malicious file transf | Job | Description | Supported Platform | |-------------------------------------------------------|-------------------------------------------------------------------------------------------------| --------------------- | -| lmd_high_count_remote_file_transfer_euid | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | -| lmd_high_file_size_remote_file_transfer_euid | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | -| lmd_rare_file_extension_remote_transfer_euid | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | -| lmd_rare_file_path_remote_transfer_euid | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | -| lmd_high_mean_rdp_session_duration_euid | Detects unusually high mean of RDP session duration. | Windows | -| lmd_high_var_rdp_session_duration_euid | Detects unusually high variance in RDP session duration. | Windows | -| lmd_high_sum_rdp_number_of_processes_euid | Detects unusually high number of processes started in a single RDP session. | Windows | -| lmd_unusual_time_weekday_rdp_session_start_euid | Detects an RDP session started at an usual time or weekday. | Windows | -| lmd_high_rdp_distinct_count_source_ip_for_destination_euid | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | -| lmd_high_rdp_distinct_count_destination_ip_for_source_euid | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | -| lmd_high_mean_rdp_process_args_euid | Detects unusually high number of process arguments in an RDP session. | Windows | +| lmd_high_count_remote_file_transfer_ea | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | +| lmd_high_file_size_remote_file_transfer_ea | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | +| lmd_rare_file_extension_remote_transfer_ea | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | +| lmd_rare_file_path_remote_transfer_ea | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | +| lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | Windows | +| lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | Windows | +| lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | Windows | +| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an usual time or weekday. | Windows | +| lmd_high_rdp_distinct_count_source_ip_for_destination_ea | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | +| lmd_high_rdp_distinct_count_destination_ip_for_source_ea | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | +| lmd_high_mean_rdp_process_args_ea | Detects unusually high number of process arguments in an RDP session. | Windows | ## Customize ML jobs for Lateral Movement Detection @@ -157,28 +157,28 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. +v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. - We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. -- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - -The new EUID ML job IDs are: -- `lmd_high_count_remote_file_transfer_euid` -- `lmd_high_file_size_remote_file_transfer_euid` -- `lmd_rare_file_extension_remote_transfer_euid` -- `lmd_rare_file_path_remote_transfer_euid` -- `lmd_high_mean_rdp_session_duration_euid` -- `lmd_high_var_rdp_session_duration_euid` -- `lmd_high_sum_rdp_number_of_processes_euid` -- `lmd_unusual_time_weekday_rdp_session_start_euid` -- `lmd_high_rdp_distinct_count_source_ip_for_destination_euid` -- `lmd_high_rdp_distinct_count_destination_ip_for_source_euid` -- `lmd_high_mean_rdp_process_args_euid` - -The new EUID transforms are: -- `lmd.pivot_transform_euid` → destination index: `ml-rdp-lmd_euid` +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new Entity Analytics ML job IDs are: +- `lmd_high_count_remote_file_transfer_ea` +- `lmd_high_file_size_remote_file_transfer_ea` +- `lmd_rare_file_extension_remote_transfer_ea` +- `lmd_rare_file_path_remote_transfer_ea` +- `lmd_high_mean_rdp_session_duration_ea` +- `lmd_high_var_rdp_session_duration_ea` +- `lmd_high_sum_rdp_number_of_processes_ea` +- `lmd_unusual_time_weekday_rdp_session_start_ea` +- `lmd_high_rdp_distinct_count_source_ip_for_destination_ea` +- `lmd_high_rdp_distinct_count_destination_ip_for_source_ea` +- `lmd_high_mean_rdp_process_args_ea` + +The new Entity Analytics transforms are: +- `lmd.pivot_transform_ea` → destination index: `ml-rdp-lmd_ea` ## v2.0.0 and beyond diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index f24fc37d7a5..9843103d67d 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,6 +1,8 @@ -- name: user.entity.id_computed - type: keyword -- name: host.entity.id_computed +- external: ecs + name: host.name +- external: ecs + name: user.name +- name: event.module type: keyword - name: process.Ext.authentication_id type: keyword diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml index fd22cc5e1bd..fa3d0eb3b66 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -29,7 +29,7 @@ source: script: source: "if (doc['host.ip'].size() != 0){emit(doc['host.ip'][0]);}" dest: - index: "ml-rdp-lmd_euid" + index: "ml-rdp-lmd_ea" description: This transform runs hourly and collects windows RDP session information for Lateral Movement Detection package. frequency: 1h pivot: @@ -53,17 +53,18 @@ pivot: complete_time: session.complete_time.value script: Math.round((params.complete_time - params.start_time)/1000) group_by: - 'host.entity.id_computed': + 'host.name': terms: - script: - id: euid_host_entity + field: host.name 'destination.ip': terms: field: destination.ip - 'user.entity.id_computed': + 'user.name': terms: - script: - id: euid_user_entity + field: user.name + event.module: + terms: + field: event.module 'source.ip': terms: field: process.Ext.session_info.client_address diff --git a/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json b/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json new file mode 100644 index 00000000000..9c6de2ce45f --- /dev/null +++ b/packages/lmd/kibana/dashboard/lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "This dashboard provides an overview of anomalies found for Lateral Movement Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"(job_id:\\\"lmd_high_count_remote_file_transfer_ea\\\" or job_id:\\\"lmd_high_file_size_remote_file_transfer_ea\\\" or job_id:\\\"lmd_rare_file_extension_remote_transfer_ea\\\" or job_id :\\\"lmd_rare_file_path_remote_transfer_ea\\\" or job_id :\\\"lmd_high_mean_rdp_session_duration_ea\\\" or job_id :\\\"lmd_high_var_rdp_session_duration_ea\\\" or job_id :\\\"lmd_high_sum_rdp_number_of_processes_ea\\\" or job_id :\\\"lmd_high_rdp_distinct_count_source_ip_for_destination_ea\\\" or job_id :\\\"lmd_high_rdp_distinct_count_destination_ip_for_source_ea\\\" or job_id :\\\"lmd_unusual_time_weekday_rdp_session_start_ea\\\" or job_id :\\\"lmd_high_mean_rdp_process_args_ea\\\") \",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"result_type\",\"field\":\"result_type\",\"type\":\"phrase\",\"params\":{\"query\":\"record\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"result_type\":\"record\"}},\"$state\":{\"store\":\"appState\"}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":10,\"i\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\"},\"panelIndex\":\"ddb33c4a-9eff-4d40-92c9-297d76d91eea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443\"}],\"state\":{\"visualization\":{\"layerId\":\"fb918fff-0676-4792-9732-8fbe6db41443\",\"accessor\":\"3e03ad31-53f7-4def-b8e4-4192da864d19\",\"layerType\":\"data\",\"colorMode\":\"None\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fb918fff-0676-4792-9732-8fbe6db41443\":{\"columns\":{\"3e03ad31-53f7-4def-b8e4-4192da864d19\":{\"label\":\"Total affected hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3e03ad31-53f7-4def-b8e4-4192da864d19\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":10,\"i\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\"},\"panelIndex\":\"70033600-0e2e-4208-a258-a0b47e5a4e1b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\",\"accessors\":[\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0312c5ad-bc06-4396-bd16-5481b1c48bf1\":{\"columns\":{\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\":{\"label\":\"Count of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"ae59c27c-f534-49cd-aab7-d7af4593bc8d\",\"51f5a7e6-3766-4c2f-94ce-fe624bf8db04\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total anomalies associated with lateral movement activity per day\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\"},\"panelIndex\":\"c0ee749a-576c-4da0-b51d-2ef364085fb5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"isTransposed\":false},{\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\",\"isTransposed\":false}],\"layerId\":\"6c1a1848-2234-42b9-b1fe-e41fca887639\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6c1a1848-2234-42b9-b1fe-e41fca887639\":{\"columns\":{\"909d15b9-b715-43ef-81ba-0dcf9701ff85\":{\"label\":\"Host name > User name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"320f61a2-071f-4023-b51f-fc744c040995\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"user.name\"]},\"customLabel\":true},\"320f61a2-071f-4023-b51f-fc744c040995\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"909d15b9-b715-43ef-81ba-0dcf9701ff85\",\"320f61a2-071f-4023-b51f-fc744c040995\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 host and user names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":15,\"i\":\"636abb14-59a8-4a1e-a426-5db922669b22\"},\"panelIndex\":\"636abb14-59a8-4a1e-a426-5db922669b22\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"isTransposed\":false},{\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\",\"isTransposed\":false}],\"layerId\":\"188c9419-9baa-4af7-846c-d2fe2c838eb1\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"188c9419-9baa-4af7-846c-d2fe2c838eb1\":{\"columns\":{\"2ea20970-94b6-42d3-bded-af75d15d6708\":{\"label\":\"Process name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"}},\"customLabel\":true},\"4ccfc545-539c-43f5-ac35-cf6800bcd970\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"2ea20970-94b6-42d3-bded-af75d15d6708\",\"4ccfc545-539c-43f5-ac35-cf6800bcd970\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 process names associated with lateral movement activity\"},{\"version\":\"8.5.1\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":12,\"i\":\"d38dee87-a80a-4613-ae67-455886f1097e\"},\"panelIndex\":\"d38dee87-a80a-4613-ae67-455886f1097e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\",\"accessors\":[\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3df1d709-471b-4308-afd9-1d49fa0d5dc1\":{\"columns\":{\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\":{\"label\":\"File name > File directory\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"multi_terms\"},\"secondaryFields\":[\"file_directory\"]},\"customLabel\":true},\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\":{\"label\":\"Number of anomalies\",\"customLabel\":true,\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"record_score\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"35a981cf-6ab8-438c-b73d-a399a35b9c4a\",\"e336ebd1-d880-44e5-94bc-0dac4c006ee7\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 20 combination of file names and directories affected by lateral movement activity\"}]", + "timeRestore": false, + "title": "Lateral Movement Detection Dashboard (Entity Analytics)", + "version": 2 + }, + "coreMigrationVersion": "8.5.1", + "id": "lmd-ea-17fea180-8c4c-11ed-bb03-41a73f349362", + "migrationVersion": { + "dashboard": "8.5.0" + }, + "references": [ + { + "id": ".ml-anomalies-shared", + "name": "ddb33c4a-9eff-4d40-92c9-297d76d91eea:indexpattern-datasource-layer-fb918fff-0676-4792-9732-8fbe6db41443", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "70033600-0e2e-4208-a258-a0b47e5a4e1b:indexpattern-datasource-layer-0312c5ad-bc06-4396-bd16-5481b1c48bf1", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "c0ee749a-576c-4da0-b51d-2ef364085fb5:indexpattern-datasource-layer-6c1a1848-2234-42b9-b1fe-e41fca887639", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "636abb14-59a8-4a1e-a426-5db922669b22:indexpattern-datasource-layer-188c9419-9baa-4af7-846c-d2fe2c838eb1", + "type": "index-pattern" + }, + { + "id": ".ml-anomalies-shared", + "name": "d38dee87-a80a-4613-ae67-455886f1097e:indexpattern-datasource-layer-3df1d709-471b-4308-afd9-1d49fa0d5dc1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 2ede81672b1..d3bd5a477d5 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -1,984 +1,947 @@ { - "attributes": { - "id": "lmd-ml", - "title": "Lateral Movement Detection", - "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", - "type": "lmd", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "lmd-ml", + "title": "Lateral Movement Detection", + "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", + "type": "lmd", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "term": { + "event.category": "file" + } + }, + { "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { - "bool": { - "filter": [ - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "filter": [ + { + "exists": { + "field": "session.start_time" + } } + ] } - }, - "jobs": [ - { - "id": "lmd_high_count_remote_file_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high file transfers to a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", - "function": "high_count", - "by_field_name": "event.action", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_file_size_remote_file_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high size of files shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_extension_remote_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects rare file extensions shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file.extension", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "file.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_path_remote_transfer_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusual folders and directories on which a file is transferred.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by file_directory partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file_directory", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "file.path" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_session_duration_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high mean of RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_var_rdp_session_duration_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high variance in RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_sum_rdp_number_of_processes_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of processes started in a single RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects an RDP session started at an usual time or weekday.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "time_of_week partitionfield=\"source.ip\"", - "function": "time_of_week", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "destination.ip", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "lmd_high_count_remote_file_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high file transfers to a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_file_size_remote_file_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high size of files shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_extension_remote_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects rare file extensions shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file.extension", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_rare_file_path_remote_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusual folders and directories on which a file is transferred.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by file_directory partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file_directory", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.path" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_session_duration_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high mean of RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_var_rdp_session_duration_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high variance in RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_sum_rdp_number_of_processes_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of processes started in a single RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects an RDP session started at an usual time or weekday.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "time_of_week partitionfield=\"source.ip\"", + "function": "time_of_week", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "destination.ip", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", + "function": "high_distinct_count", + "field_name": "source.ip", + "partition_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", + "function": "high_distinct_count", + "field_name": "destination.ip", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + }, + { + "id": "lmd_high_mean_rdp_process_args_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of process arguments in an RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-lmd_high_count_remote_file_transfer_ea", + "job_id": "lmd_high_count_remote_file_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_count_remote_file_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", - "function": "high_distinct_count", - "field_name": "source.ip", - "partition_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } - }, - { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", - "function": "high_distinct_count", - "field_name": "destination.ip", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_file_size_remote_file_transfer_ea", + "job_id": "lmd_high_file_size_remote_file_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_file_size_remote_file_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "lmd_high_mean_rdp_process_args_euid", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of process arguments in an RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-lmd_high_count_remote_file_transfer_euid", - "job_id": "lmd_high_count_remote_file_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_count_remote_file_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + } + } + }, + { + "id": "datafeed-lmd_rare_file_extension_remote_transfer_ea", + "job_id": "lmd_rare_file_extension_remote_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_extension_remote_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "datafeed-lmd_high_file_size_remote_file_transfer_euid", - "job_id": "lmd_high_file_size_remote_file_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_file_size_remote_file_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } - }, - { - "id": "datafeed-lmd_rare_file_extension_remote_transfer_euid", - "job_id": "lmd_rare_file_extension_remote_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_extension_remote_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_session_duration_ea", + "job_id": "lmd_high_mean_rdp_session_duration_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_session_duration_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_session_duration_euid", - "job_id": "lmd_high_mean_rdp_session_duration_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_session_duration_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_var_rdp_session_duration_ea", + "job_id": "lmd_high_var_rdp_session_duration_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_var_rdp_session_duration_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_var_rdp_session_duration_euid", - "job_id": "lmd_high_var_rdp_session_duration_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_var_rdp_session_duration_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_ea", + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes_euid", - "job_id": "lmd_high_sum_rdp_number_of_processes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_sum_rdp_number_of_processes_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_ea", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_euid", - "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_process_args_ea", + "job_id": "lmd_high_mean_rdp_process_args_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_process_args_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } } - }, - { - "id": "datafeed-lmd_high_mean_rdp_process_args_euid", - "job_id": "lmd_high_mean_rdp_process_args_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_process_args_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } - } - ] - } - } + ] + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_path_remote_transfer_ea", + "job_id": "lmd_rare_file_path_remote_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_path_remote_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } } - }, - { - "id": "datafeed-lmd_rare_file_path_remote_transfer_euid", - "job_id": "lmd_rare_file_path_remote_transfer_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_path_remote_transfer_euid", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } - } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } - } - ] - } - }, - "runtime_mappings": { - "file_directory": { - "type": "keyword", - "script": { - "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" - } - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } } + ] } - ] - }, - "id": "lmd-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + }, + "runtime_mappings": { + "file_directory": { + "type": "keyword", + "script": { + "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" + } + } + } + } + } + ] + }, + "id": "lmd-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index 9f700ec5db2..494909633c5 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,6 +1,6 @@ - version: "2.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "1.1.1" diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 7f6a47efb31..fc13f27d1f8 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -63,12 +63,12 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and ``` POST INDEX_NAME/_rollover ``` -1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad_euid.all` and `ml_okta_multiple_user_sessions_pad_euid.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_sessions_euid-default-` and `logs-pad.pivot_transform_win_privilege_list_euid-default-`. -1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad_euid.all` and `ml_windows_privilege_type_pad_euid.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. +1. **Check the health of the transforms**: The transforms are scheduled to run every hour. These transforms create two indices: `ml_windows_privilege_type_pad_ea.all` and `ml_okta_multiple_user_sessions_pad_ea.all`. To check the health of the transforms go to **Management > Stack Management > Data > Transforms** under `logs-pad.pivot_transform_okta_sessions_ea-default-` and `logs-pad.pivot_transform_win_privilege_list_ea-default-`. +1. **Create data views for anomaly detection jobs**: The anomaly detection jobs under this package rely on three indices. One index contains logs for Windows, Linux, and Okta (logs-*), while the second and third indices store Okta user session information and details about special Windows privileges assigned to a user, respectively, collected through two transforms (`ml_okta_multiple_user_sessions_pad_ea.all` and `ml_windows_privilege_type_pad_ea.all`). Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad_euid.all, ml_windows_privilege_type_pad_euid.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-*, ml_okta_multiple_user_sessions_pad_ea.all, ml_windows_privilege_type_pad_ea.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. - 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad_euid.all, ml_windows_privilege_type_pad_euid.all`) to create anomaly detection jobs for this package. + 1. Use the new data view (`logs-*, ml_okta_multiple_user_sessions_pad_ea.all, ml_windows_privilege_type_pad_ea.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Privileged Access Detection**. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **_Note_**: In the Machine Learning app, these configurations are available only when data exists that matches the query specified in the [pad-ml file](https://github.com/elastic/integrations/blob/main/packages/pad/kibana/ml_module/pad-ml.json#L10). Additionally, we recommend backdating the datafeed for these anomaly detection jobs to a specific timeframe, as some datafeed queries are resource-intensive and may lead to query delays. We advise you to start the datafeed with 2-3 months' worth of data. 1. **Data view configuration for Dashboards**: For the dashboard to work as expected, the following settings need to be configured in Kibana. @@ -76,7 +76,7 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared*` + - Index pattern : `.ml-anomalies-shared` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` @@ -90,17 +90,17 @@ To inspect the installed assets, you can navigate to **Stack Management > Data > | Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | |--------------------------------------------|--------------------------------------------------------------------|---------------|------------------------------------------------|--------------------------------------- | ------------------ | -| pad.pivot_transform_okta_sessions_euid | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_euid-[version] | ml_okta_multiple_user_sessions_pad_euid.all | Okta | -| pad.pivot_transform_win_privilege_list_euid | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_euid-[version] | ml_windows_privilege_type_pad_euid.all | Windows | +| pad.pivot_transform_okta_sessions_ea | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_ea-[version] | ml_okta_multiple_user_sessions_pad_ea.all | Okta | +| pad.pivot_transform_win_privilege_list_ea | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_ea-[version] | ml_windows_privilege_type_pad_ea.all | Windows | -When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad_euid.all` and `ml_windows_privilege_type_pad_euid.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. +When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad_ea.all` and `ml_windows_privilege_type_pad_ea.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. ## Customize Privileged Access Detection Transform To customize filters in the Privileged Access Detection transform, follow the below steps. You can use these instructions to update basic settings or to update filters for fields such as `process.name`, `@timestamp` and others. 1. To update settings such as retention policy, frequency, or destination configuration, stop the transform, click **Edit** from the **Actions** bar, make the required changes, and start the transform again. ![Privileged Access Detection transform](../img/pad_transform_update.png) -1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_win_privilege_list_euid-default-`**. +1. To update the query filters, go to **Stack Management > Data > Transforms > `logs-pad.pivot_transform_win_privilege_list_ea-default-`**. 1. Click on the **Actions** bar at the far right of the transform and select the **Clone** option. ![Privileged Access Detection transform](../img/pad_transform_1.png) 1. In the new **Clone transform** window, go to the **Search filter** and update any field values you want to add or remove. Click on the **Apply changes** button on the right side to save these changes. **Note:** The image below shows an example of filtering a new `process.name` as `explorer.exe`. You can follow a similar example and update the field value list based on your environment to help reduce noise and potential false positives. @@ -114,27 +114,27 @@ To customize filters in the Privileged Access Detection transform, follow the be | Job | Description | Supported Platform | |------------------------------------------------------------|------------------------------------------------------------------------------------------------|----------------------| -| pad_windows_high_count_special_logon_events_euid | Detects unusually high special logon events initiated by a user. | Windows | -| pad_windows_high_count_special_privilege_use_events_euid | Detects unusually high special privilege use events initiated by a user. | Windows | -| pad_windows_high_count_group_management_events_euid | Detects unusually high security group management events initiated by a user. | Windows | -| pad_windows_high_count_user_account_management_events_euid | Detects unusually high security user account management events initiated by a user. | Windows | -| pad_windows_rare_privilege_assigned_to_user_euid | Detects an unusual privilege type assigned to a user. | Windows | -| pad_windows_rare_group_name_by_user_euid | Detects an unusual group name accessed by a user. | Windows | -| pad_windows_rare_device_by_user_euid | Detects an unusual device accessed by a user. | Windows | -| pad_windows_rare_source_ip_by_user_euid | Detects an unusual source IP address accessed by a user. | Windows | -| pad_windows_rare_region_name_by_user_euid | Detects an unusual region name for a user. | Windows | -| pad_linux_high_count_privileged_process_events_by_user_euid | Detects a spike in privileged commands executed by a user. | Linux | -| pad_linux_rare_process_executed_by_user_euid | Detects a rare process executed by a user. | Linux | -| pad_linux_high_median_process_command_line_entropy_by_user_euid | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | -| pad_okta_spike_in_group_membership_changes_euid | Detects spike in group membership change events by a user. | Okta Integration | -| pad_okta_spike_in_user_lifecycle_management_changes_euid | Detects spike in user lifecycle management change events by a user. | Okta Integration | -| pad_okta_spike_in_group_privilege_changes_euid | Detects spike in group privilege change events by a user. | Okta Integration | +| pad_windows_high_count_special_logon_events_ea | Detects unusually high special logon events initiated by a user. | Windows | +| pad_windows_high_count_special_privilege_use_events_ea | Detects unusually high special privilege use events initiated by a user. | Windows | +| pad_windows_high_count_group_management_events_ea | Detects unusually high security group management events initiated by a user. | Windows | +| pad_windows_high_count_user_account_management_events_ea | Detects unusually high security user account management events initiated by a user. | Windows | +| pad_windows_rare_privilege_assigned_to_user_ea | Detects an unusual privilege type assigned to a user. | Windows | +| pad_windows_rare_group_name_by_user_ea | Detects an unusual group name accessed by a user. | Windows | +| pad_windows_rare_device_by_user_ea | Detects an unusual device accessed by a user. | Windows | +| pad_windows_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Windows | +| pad_windows_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Windows | +| pad_linux_high_count_privileged_process_events_by_user_ea | Detects a spike in privileged commands executed by a user. | Linux | +| pad_linux_rare_process_executed_by_user_ea | Detects a rare process executed by a user. | Linux | +| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | +| pad_okta_spike_in_group_membership_changes_ea | Detects spike in group membership change events by a user. | Okta Integration | +| pad_okta_spike_in_user_lifecycle_management_changes_ea | Detects spike in user lifecycle management change events by a user. | Okta Integration | +| pad_okta_spike_in_group_privilege_changes_ea | Detects spike in group privilege change events by a user. | Okta Integration | | pad_okta_spike_in_group_application_assignment_change | Detects spike in group application assignment change events by a user. | Okta Integration | -| pad_okta_spike_in_group_lifecycle_changes_euid | Detects spike in group lifecycle change events by a user. | Okta Integration | -| pad_okta_high_sum_concurrent_sessions_by_user_euid | Detects an unusual sum of active sessions started by a user. | Okta Integration | -| pad_okta_rare_source_ip_by_user_euid | Detects an unusual source IP address accessed by a user. | Okta Integration | -| pad_okta_rare_region_name_by_user_euid | Detects an unusual region name for a user. | Okta Integration | -| pad_okta_rare_host_name_by_user_euid | Detects an unusual host name for a user. | Okta Integration | +| pad_okta_spike_in_group_lifecycle_changes_ea | Detects spike in group lifecycle change events by a user. | Okta Integration | +| pad_okta_high_sum_concurrent_sessions_by_user_ea | Detects an unusual sum of active sessions started by a user. | Okta Integration | +| pad_okta_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Okta Integration | +| pad_okta_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Okta Integration | +| pad_okta_rare_host_name_by_user_ea | Detects an unusual host name for a user. | Okta Integration | ## Customize ML jobs for Privileged Access Detection @@ -155,39 +155,39 @@ To customize the datafeed query and other settings such as model memory limit, f ## v2.0.0 and beyond -v2.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. +v2.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new EUID-based assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize EUIDs will be available. +- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. +- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. - We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. -- The new EUID transforms write to separate destination indices postfixed with `_euid`. Create a new data view for the EUID anomaly detection jobs using the new EUID destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - -The new EUID ML job IDs are: -- `pad_windows_high_count_special_logon_events_euid` -- `pad_windows_high_count_special_privilege_use_events_euid` -- `pad_windows_high_count_group_management_events_euid` -- `pad_windows_high_count_user_account_management_events_euid` -- `pad_windows_rare_privilege_assigned_to_user_euid` -- `pad_windows_rare_group_name_by_user_euid` -- `pad_windows_rare_device_by_user_euid` -- `pad_windows_rare_source_ip_by_user_euid` -- `pad_windows_rare_region_name_by_user_euid` -- `pad_linux_high_count_privileged_process_events_by_user_euid` -- `pad_linux_rare_process_executed_by_user_euid` -- `pad_linux_high_median_process_command_line_entropy_by_user_euid` -- `pad_okta_spike_in_group_membership_changes_euid` -- `pad_okta_spike_in_user_lifecycle_management_changes_euid` -- `pad_okta_spike_in_group_privilege_changes_euid` -- `pad_okta_spike_in_group_application_assignment_changes_euid` -- `pad_okta_spike_in_group_lifecycle_changes_euid` -- `pad_okta_high_sum_concurrent_sessions_by_user_euid` -- `pad_okta_rare_source_ip_by_user_euid` -- `pad_okta_rare_region_name_by_user_euid` -- `pad_okta_rare_host_name_by_user_euid` - -The new EUID transforms are: -- `pad.pivot_transform_okta_sessions_euid` → destination index: `ml_okta_multiple_user_sessions_pad_euid-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_euid.latest`, `ml_okta_multiple_user_sessions_pad_euid.all` -- `pad.pivot_transform_win_privilege_list_euid` → destination index: `ml_windows_privilege_type_pad_euid-2.0.0`, alias: `ml_windows_privilege_type_pad_euid.latest`, `ml_windows_privilege_type_pad_euid.all` +- The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. + +The new Entity Analytics ML job IDs are: +- `pad_windows_high_count_special_logon_events_ea` +- `pad_windows_high_count_special_privilege_use_events_ea` +- `pad_windows_high_count_group_management_events_ea` +- `pad_windows_high_count_user_account_management_events_ea` +- `pad_windows_rare_privilege_assigned_to_user_ea` +- `pad_windows_rare_group_name_by_user_ea` +- `pad_windows_rare_device_by_user_ea` +- `pad_windows_rare_source_ip_by_user_ea` +- `pad_windows_rare_region_name_by_user_ea` +- `pad_linux_high_count_privileged_process_events_by_user_ea` +- `pad_linux_rare_process_executed_by_user_ea` +- `pad_linux_high_median_process_command_line_entropy_by_user_ea` +- `pad_okta_spike_in_group_membership_changes_ea` +- `pad_okta_spike_in_user_lifecycle_management_changes_ea` +- `pad_okta_spike_in_group_privilege_changes_ea` +- `pad_okta_spike_in_group_application_assignment_changes_ea` +- `pad_okta_spike_in_group_lifecycle_changes_ea` +- `pad_okta_high_sum_concurrent_sessions_by_user_ea` +- `pad_okta_rare_source_ip_by_user_ea` +- `pad_okta_rare_region_name_by_user_ea` +- `pad_okta_rare_host_name_by_user_ea` + +The new Entity Analytics transforms are: +- `pad.pivot_transform_okta_sessions_ea` → destination index: `ml_okta_multiple_user_sessions_pad_ea-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_ea.latest`, `ml_okta_multiple_user_sessions_pad_ea.all` +- `pad.pivot_transform_win_privilege_list_ea` → destination index: `ml_windows_privilege_type_pad_ea-2.0.0`, alias: `ml_windows_privilege_type_pad_ea.latest`, `ml_windows_privilege_type_pad_ea.all` ## Licensing diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index 94cca0df550..daa1675fff2 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -1,4 +1,6 @@ -- name: user.entity.id_computed +- external: ecs + name: user.name +- name: event.module type: keyword - external: ecs name: source.user.full_name diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml index f80b52a672c..5e68b312273 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml @@ -18,11 +18,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_okta_multiple_user_sessions_pad_euid-2.0.0 + index: ml_okta_multiple_user_sessions_pad_ea-2.0.0 aliases: - - alias: ml_okta_multiple_user_sessions_pad_euid.latest + - alias: ml_okta_multiple_user_sessions_pad_ea.latest move_on_creation: true - - alias: ml_okta_multiple_user_sessions_pad_euid.all + - alias: ml_okta_multiple_user_sessions_pad_ea.all move_on_creation: false description: This transform runs hourly and collects user session information for Okta events for the Privileged Access Detection package. frequency: 1h @@ -39,10 +39,12 @@ pivot: term: 'okta.event_type': "user.session.end" group_by: - 'user.entity.id_computed': + 'user.name': terms: - script: - id: euid_user_entity + field: user.name + event.module: + terms: + field: event.module 'agent.name': terms: field: agent.name diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml index 245b70a0445..389d98d0e87 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml @@ -1,6 +1,10 @@ -- name: user.entity.id_computed +- name: agent.name type: keyword -- name: host.entity.id_computed +- external: ecs + name: host.name +- external: ecs + name: user.name +- name: event.module type: keyword - name: privilege_type type: keyword diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml index 6b5e4307340..84dfc038b45 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml @@ -20,11 +20,11 @@ source: - terms: '_tier': [ "data_cold", "data_frozen" ] dest: - index: ml_windows_privilege_type_pad_euid-2.0.0 + index: ml_windows_privilege_type_pad_ea-2.0.0 aliases: - - alias: ml_windows_privilege_type_pad_euid.latest + - alias: ml_windows_privilege_type_pad_ea.latest move_on_creation: true - - alias: ml_windows_privilege_type_pad_euid.all + - alias: ml_windows_privilege_type_pad_ea.all move_on_creation: false description: This transform runs hourly and collects special privileges assigned to a user in the Windows events for the Privileged Access Detection package. frequency: 1h @@ -34,14 +34,18 @@ pivot: max: field: '@timestamp' group_by: - 'host.entity.id_computed': + agent.name: terms: - script: - id: euid_host_entity - 'user.entity.id_computed': + field: agent.name + 'host.name': terms: - script: - id: euid_user_entity + field: host.name + 'user.name': + terms: + field: user.name + event.module: + terms: + field: event.module 'privilege_type': terms: field: winlog.event_data.PrivilegeList diff --git a/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json new file mode 100644 index 00000000000..3ca33a16e71 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_ea\\\" or \\\"pad_windows_high_count_special_logon_events_ea\\\" or \\\"pad_windows_high_count_special_privilege_use_events_ea\\\" or \\\"pad_windows_high_count_user_account_management_events_ea\\\" or \\\"pad_windows_rare_device_by_user_ea\\\" or \\\"pad_windows_rare_group_name_by_user_ea\\\" or \\\"pad_windows_rare_source_ip_by_user_ea\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_ea\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_ea\",\"pad_windows_high_count_special_logon_events_ea\",\"pad_windows_high_count_special_privilege_use_events_ea\",\"pad_windows_high_count_user_account_management_events_ea\",\"pad_windows_rare_device_by_user_ea\",\"pad_windows_rare_group_name_by_user_ea\",\"pad_windows_rare_privilege_assigned_to_user_ea\",\"pad_windows_rare_region_name_by_user_ea\",\"pad_windows_rare_source_ip_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_ea, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Windows] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c969fd47-15df-4011-8fa3-2a27825ad0f6:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd:indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "26531c0e-a776-4e6f-badd-8766f77d9134:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271a8d58-3d1b-44d9-93da-338c9f91867a:indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "502e0249-fc8c-4d26-8f1e-d8f434d8e7c7:indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "920f2dd3-3628-4298-866a-da34c82431c2:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "02255922-d40f-4757-92c2-b53596a73f5e:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5318144f-ddf3-4f86-919f-0192feec779f:indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0d20b661-2d10-4b29-8c22-74411dd468cb:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "8c0e0fe0-dbe3-4444-a341-b57559b4a7c0:indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "2762a942-0d53-4420-82c2-72bd991e7e7d:indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json b/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json new file mode 100644 index 00000000000..70d88610984 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Linux logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_linux_high_count_privileged_process_events_by_user_ea\\\" or \\\"pad_linux_rare_process_executed_by_user_ea\\\" or \\\"pad_linux_high_median_process_command_line_entropy_by_user_ea\\\")\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\"},\"panelIndex\":\"5f659483-b424-415f-aea1-c36bd1f65b0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\"},\"panelIndex\":\"5183abf0-ed13-455e-9f43-4f03c1d8738f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a\"}],\"state\":{\"visualization\":{\"layerId\":\"00897d5d-df2a-4a94-b918-82f2625dfb2a\",\"accessor\":\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"00897d5d-df2a-4a94-b918-82f2625dfb2a\":{\"columns\":{\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"be65b39c-4d7a-426a-bd7b-b1d51cde9f18\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":18,\"i\":\"74fa9f56-104a-4efa-aec3-844420c0350d\"},\"panelIndex\":\"74fa9f56-104a-4efa-aec3-844420c0350d\",\"embeddableConfig\":{\"jobIds\":[\"pad_linux_high_count_privileged_process_events_by_user_ea\",\"pad_linux_high_median_process_command_line_entropy_by_user_ea\",\"pad_linux_rare_process_executed_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_ea, pad_linux_high_median_process_command_line_entropy_by_user_ea, pad_linux_rare_process_executed_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":10,\"i\":\"69788132-8446-4d88-baef-81dbb0c34bbb\"},\"panelIndex\":\"69788132-8446-4d88-baef-81dbb0c34bbb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":10,\"i\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\"},\"panelIndex\":\"fa9be72f-18d4-4054-85a1-6c35f3a44406\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dc9c0b23-4e22-4d75-a8e0-8b29ad67f016\":{\"columns\":{\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"5e5ce028-c8ab-49bb-a3ef-ddd5ddcf3a3c\",\"f5c1e766-3b0f-45db-8865-1c7a2c3c1924\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":18,\"w\":48,\"h\":9,\"i\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\"},\"panelIndex\":\"437c12af-ddd9-4ffa-a43f-df5693028ae3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\",\"accessors\":[\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a25cc1d0-4da8-4e42-9d93-7800fd4573bf\":{\"columns\":{\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"6e60ffb4-8f27-4d05-b120-699ffa51c46c\",\"7bf6b54c-a978-44a5-a882-3e3398a9a49d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":27,\"w\":21,\"h\":12,\"i\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\"},\"panelIndex\":\"a86a0e06-7e5c-4cf5-9e52-884a1b83f00d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\",\"accessors\":[\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5\":{\"columns\":{\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f99b8911-2434-488c-92e3-208a71fa6abd\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f99b8911-2434-488c-92e3-208a71fa6abd\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"d1ed4962-15bf-4a35-a43f-d68f3d9f269e\",\"f99b8911-2434-488c-92e3-208a71fa6abd\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":12,\"i\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\"},\"panelIndex\":\"ef4641fe-8802-4ca1-aae2-e4a7fdf80c25\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"isTransposed\":false,\"isMetric\":false,\"oneClickFilter\":false},{\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"adf86fac-24b5-464e-83c0-0353583f7769\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"adf86fac-24b5-464e-83c0-0353583f7769\":{\"columns\":{\"3723924b-14a6-414d-b1a9-0704cd57703e\":{\"label\":\"Command lines\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3723924b-14a6-414d-b1a9-0704cd57703e\",\"01945a54-9581-4d1a-8bbf-8ffb641b8f32\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Command lines\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Linux] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-71c4cb79-3d39-4f27-9bbf-1b273c9c37cc", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5f659483-b424-415f-aea1-c36bd1f65b0a:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "5183abf0-ed13-455e-9f43-4f03c1d8738f:indexpattern-datasource-layer-00897d5d-df2a-4a94-b918-82f2625dfb2a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "69788132-8446-4d88-baef-81dbb0c34bbb:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fa9be72f-18d4-4054-85a1-6c35f3a44406:indexpattern-datasource-layer-dc9c0b23-4e22-4d75-a8e0-8b29ad67f016" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "437c12af-ddd9-4ffa-a43f-df5693028ae3:indexpattern-datasource-layer-a25cc1d0-4da8-4e42-9d93-7800fd4573bf" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a86a0e06-7e5c-4cf5-9e52-884a1b83f00d:indexpattern-datasource-layer-bb8cc50c-32fa-4f4e-846d-f8128bc9cbd5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ef4641fe-8802-4ca1-aae2-e4a7fdf80c25:indexpattern-datasource-layer-adf86fac-24b5-464e-83c0-0353583f7769" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json b/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json new file mode 100644 index 00000000000..03f2e2535a5 --- /dev/null +++ b/packages/pad/kibana/dashboard/pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "This dashboard offers an overview of anomalies identified in Okta system logs by the Privileged Access Detection package.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"job_id : (\\\"pad_okta_spike_in_group_membership_changes_ea\\\" or \\\"pad_okta_spike_in_user_lifecycle_management_changes_ea\\\" or \\\"pad_okta_spike_in_group_privilege_changes_ea\\\" or \\\"pad_okta_spike_in_group_application_assignment_changes_ea\\\" or \\\"pad_okta_spike_in_group_lifecycle_changes_ea\\\" or \\\"pad_okta_high_sum_concurrent_sessions_by_user_ea\\\" or \\\"pad_okta_rare_source_ip_by_user_ea\\\" or \\\"pad_okta_rare_region_name_by_user_ea\\\" or \\\"pad_okta_rare_host_name_by_user_ea\\\")\\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\"},\"panelIndex\":\"9102c38b-a4e9-4219-97f8-b2e000bd3af6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"agent.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c2594a80-809a-4db9-949f-c23de974e903\"},\"panelIndex\":\"c2594a80-809a-4db9-949f-c23de974e903\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\"}],\"state\":{\"visualization\":{\"layerId\":\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\",\"accessor\":\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"606e98ee-80ad-4ef6-b5dd-d72ca603cf3d\":{\"columns\":{\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"aec1b4e9-d4b9-4ffe-be4a-78d9ff6ac863\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\"},\"panelIndex\":\"8a24b8ca-19da-4eb9-9ac3-d09bb362abb2\",\"embeddableConfig\":{\"jobIds\":[\"pad_okta_high_sum_concurrent_sessions_by_user_ea\",\"pad_okta_rare_host_name_by_user_ea\",\"pad_okta_rare_region_name_by_user_ea\",\"pad_okta_rare_source_ip_by_user_ea\",\"pad_okta_spike_in_group_application_assignment_changes_ea\",\"pad_okta_spike_in_group_lifecycle_changes_ea\",\"pad_okta_spike_in_group_membership_changes_ea\",\"pad_okta_spike_in_group_privilege_changes_ea\",\"pad_okta_spike_in_user_lifecycle_management_changes_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_okta_high_sum_concurrent_sessions_by_user_ea, pad_okta_rare_host_name_by_user_ea, pad_okta_rare_region_name_by_user_ea, pad_okta_rare_source_ip_by_user_ea, pad_okta_spike_in_group_application_assignment_changes_ea, pad_okta_spike_in_group_lifecycle_changes_ea, pad_okta_spike_in_group_membership_changes_ea, pad_okta_spike_in_group_privilege_changes_ea, pad_okta_spike_in_user_lifecycle_management_changes_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\"},\"panelIndex\":\"fe8ca082-0cbb-4e64-87c0-71b580b22776\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.user.full_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\"},\"panelIndex\":\"87db855a-4b1c-43b0-92f7-23d991abc98d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"single\",\"rowHeightLines\":1},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02\":{\"columns\":{\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"471aae81-d83d-4ef6-942b-c92f9fe26435\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"471aae81-d83d-4ef6-942b-c92f9fe26435\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ca063b88-97c6-4e9e-a132-2d31e7921ecd\",\"471aae81-d83d-4ef6-942b-c92f9fe26435\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":9,\"i\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\"},\"panelIndex\":\"64a3d12e-87fc-4161-86bf-d10e47cb2131\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\",\"accessors\":[\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9276778a-5402-4477-825f-bdfec4c9c712\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d53a6d5d-0747-4aff-a8e0-bf3678f0f192\":{\"columns\":{\"8e064c56-fb74-40b3-851d-e3bb934f3224\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9276778a-5402-4477-825f-bdfec4c9c712\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}}},\"columnOrder\":[\"9276778a-5402-4477-825f-bdfec4c9c712\",\"8e064c56-fb74-40b3-851d-e3bb934f3224\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":12,\"i\":\"27b2661e-490f-4f5c-80b5-7021b64528da\"},\"panelIndex\":\"27b2661e-490f-4f5c-80b5-7021b64528da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Okta event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"okta.event_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Okta event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":12,\"i\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\"},\"panelIndex\":\"1f7cd6af-eee1-4456-a555-e257acb9dbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\",\"isTransposed\":false,\"isMetric\":true},{\"columnId\":\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"isTransposed\":false,\"isMetric\":false}],\"layerId\":\"aca96b75-931d-4c8d-bcf2-03b37727f51e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"aca96b75-931d-4c8d-bcf2-03b37727f51e\":{\"columns\":{\"b9958cde-7f21-4133-9264-e2167b1636ab\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"91d2626d-1b61-4783-ac7b-705b8610f29b\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"b9958cde-7f21-4133-9264-e2167b1636ab\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"91d2626d-1b61-4783-ac7b-705b8610f29b\",\"b9958cde-7f21-4133-9264-e2167b1636ab\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":12,\"i\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\"},\"panelIndex\":\"151ae1ee-f82f-4233-8901-4b54548fa92f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"ca9ed90b-110a-4dec-a680-bd615c54f318\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"accessors\":[\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"yConfig\":[{\"forAccessor\":\"3f708596-2ad5-4a79-818d-4054db051bd4\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ca9ed90b-110a-4dec-a680-bd615c54f318\":{\"columns\":{\"3f708596-2ad5-4a79-818d-4054db051bd4\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"e789ceb8-c70c-43af-9126-bd9d7958f77b\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"client.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3f708596-2ad5-4a79-818d-4054db051bd4\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"e789ceb8-c70c-43af-9126-bd9d7958f77b\",\"3f708596-2ad5-4a79-818d-4054db051bd4\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "timeRestore": false, + "title": "Privileged Access Detection Dashboard [Okta] (Entity Analytics)", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "id": "pad-ea-aea2c9d3-c841-4466-8c61-c0ffbf6ac976", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + "id": ".ml-anomalies-shared" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "9102c38b-a4e9-4219-97f8-b2e000bd3af6:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c2594a80-809a-4db9-949f-c23de974e903:indexpattern-datasource-layer-606e98ee-80ad-4ef6-b5dd-d72ca603cf3d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "fe8ca082-0cbb-4e64-87c0-71b580b22776:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "87db855a-4b1c-43b0-92f7-23d991abc98d:indexpattern-datasource-layer-1fdc2a48-b0aa-4ec5-abad-7260b7bf3b02" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "64a3d12e-87fc-4161-86bf-d10e47cb2131:indexpattern-datasource-layer-d53a6d5d-0747-4aff-a8e0-bf3678f0f192" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "27b2661e-490f-4f5c-80b5-7021b64528da:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1f7cd6af-eee1-4456-a555-e257acb9dbae:indexpattern-datasource-layer-aca96b75-931d-4c8d-bcf2-03b37727f51e" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "151ae1ee-f82f-4233-8901-4b54548fa92f:indexpattern-datasource-layer-ca9ed90b-110a-4dec-a680-bd615c54f318" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index bc748b152df..ae5bdb7ba1b 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2632 +1,2450 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } - } - ] - } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } } + ] } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } - } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } } - }, - { - "id": "pad_windows_high_count_group_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_high_count_group_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_device_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "user.name", + "event.module", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + }, + { + "id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_ea", + "job_id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } } - }, - { - "id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } } - }, - { - "id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_windows_rare_device_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_ea", + "job_id": "pad_windows_high_count_group_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } } - }, - { - "id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_ea", + "job_id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_ea", + "job_id": "pad_windows_rare_device_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "user.name", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.entity.id_computed", - "user.name", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "user.name", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_ea", + "job_id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - }, - { - "id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "user.name", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "user.name", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } } - }, - { - "id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "agent.name", - "partition_field_name": "user.entity.id_computed", - "detector_index": 0 - } - ], - "influencers": [ - "user.entity.id_computed", - "user.name", - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_euid", - "job_id": "pad_windows_high_count_special_logon_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_euid", - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_euid", - "job_id": "pad_windows_high_count_group_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_euid", - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_euid", - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } - } - ] + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" } - } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_euid", - "job_id": "pad_windows_rare_group_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" } - } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_euid", - "job_id": "pad_windows_rare_device_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" } - } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_euid", - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" } - } - } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_euid", - "job_id": "pad_windows_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_euid", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_euid", - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_euid", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_euid", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_euid", - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.user_membership.add", - "group.user_membership.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_euid", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_euid", - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.privilege.grant", - "group.privilege.revoke" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_euid", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_euid", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" } - } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_euid", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 - } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } - } - ] + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" } - } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_euid", - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" } - } - } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_euid", - "job_id": "pad_okta_rare_region_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" } - } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_euid", - "job_id": "pad_okta_rare_host_name_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_euid", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "user.name" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 + } + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 } + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } } + ] } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + } + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_ea", + "job_id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + "job_id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] + } + } + } + } + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index 2d59ce9683e..559b188036c 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.0.0" changes: - - description: Introduce Entity Unique IDs (EUIDs) + - description: Introduce Entity Analytics type: enhancement link: https://github.com/elastic/integrations/pull/99999 - version: "2.4.5" diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index e33cbe99861..cf37066ff27 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -130,12 +130,12 @@ Detects potential LotL activity by identifying malicious processes. | Job | Description | |---|---| -| problem_child_rare_process_by_host_euid | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | -| problem_child_high_sum_by_host_euid | Looks for a set of one or more malicious child processes on a single host. | -| problem_child_rare_process_by_user_euid | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | -| problem_child_rare_process_by_parent_euid | Looks for rare malicious child processes spawned by a parent process. | -| problem_child_high_sum_by_user_euid | Looks for a set of one or more malicious processes, started by the same user. | -| problem_child_high_sum_by_parent_euid | Looks for a set of one or more malicious child processes spawned by the same parent process. | +| problem_child_rare_process_by_host_ea | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | +| problem_child_high_sum_by_host_ea | Looks for a set of one or more malicious child processes on a single host. | +| problem_child_rare_process_by_user_ea | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | +| problem_child_rare_process_by_parent_ea | Looks for rare malicious child processes spawned by a parent process. | +| problem_child_high_sum_by_user_ea | Looks for a set of one or more malicious processes, started by the same user. | +| problem_child_high_sum_by_parent_ea | Looks for a set of one or more malicious child processes spawned by the same parent process. | ## Customize ML jobs for Living off the Land Attack Detection @@ -156,19 +156,19 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Unique IDs (EUIDs) for use with Entity Analytics. This version is available on Elastic Stack version 9.4 and later. +v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new EUID-based assets. -- On installation of this version, new ML jobs and rules that utilize EUIDs will be available. +- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new Entity Analytics assets. +- On installation of this version, new ML jobs and rules that utilize Entity Analytics will be available. - We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. -The new EUID ML job IDs are: -- `problem_child_rare_process_by_host_euid` -- `problem_child_high_sum_by_host_euid` -- `problem_child_rare_process_by_user_euid` -- `problem_child_rare_process_by_parent_euid` -- `problem_child_high_sum_by_user_euid` -- `problem_child_high_sum_by_parent_euid` +The new Entity Analytics ML job IDs are: +- `problem_child_rare_process_by_host_ea` +- `problem_child_high_sum_by_host_ea` +- `problem_child_rare_process_by_user_ea` +- `problem_child_rare_process_by_parent_ea` +- `problem_child_high_sum_by_user_ea` +- `problem_child_high_sum_by_parent_ea` ## v2.0.0 and beyond diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index 52fa27455b3..f8ccdb9afd9 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -1,645 +1,579 @@ { - "attributes": { - "id": "problemchild-ml", - "title": "Living off the Land Attack Detection", - "description": "Detects potential living off the land activity by identifying malicious processes.", - "type": "ProblemChild", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "problemchild.prediction" - } - }, - { - "exists": { - "field": "blocklist_label" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } + "attributes": { + "id": "problemchild-ml", + "title": "Living off the Land Attack Detection", + "description": "Detects potential living off the land activity by identifying malicious processes.", + "type": "ProblemChild", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "problemchild.prediction" + } + }, + { + "exists": { + "field": "blocklist_label" } - }, - "jobs": [ - { - "id": "problem_child_rare_process_by_host_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a host", - "detector_index": 0, - "function": "rare", - "partition_field_name": "host.name" - } - ], - "influencers": [ - "process.name", - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "problem_child_rare_process_by_host_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a host", + "detector_index": 0, + "function": "rare", + "partition_field_name": "host.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_host_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for hosts with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "host.name", + "detector_description": "high sum of model hits by host", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "host.name", + "detector_description": "high sum of blocklist hits by host", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_user_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a user", + "detector_index": 0, + "function": "rare", + "partition_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "user.name", + "event.module", + "user.id", + "host.name", + "host.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_rare_process_by_parent_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for rare malicious child processes spawned by a parent process.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a parent process", + "detector_index": 0, + "function": "rare", + "partition_field_name": "process.parent.name" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_user_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for users with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "user.name", + "detector_description": "high sum of model hits by user", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "user.name", + "detector_description": "high sum of blocklist hits by user", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "user.name", + "event.module", + "user.id", + "host.name", + "host.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + }, + { + "id": "problem_child_high_sum_by_parent_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for parent process names with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of model hits by parent process", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of blocklist hits by parent process", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } + } + } + ], + "datafeeds": [ + { + "id": "datafeed-problem_child_rare_process_by_host_ea", + "job_id": "problem_child_rare_process_by_host_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_host_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_high_sum_by_host_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for hosts with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "host.name", - "detector_description": "high sum of model hits by host", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "host.name", - "detector_description": "high sum of blocklist hits by host", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "problem_child_rare_process_by_user_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a user", - "detector_index": 0, - "function": "rare", - "partition_field_name": "user.name" - } - ], - "influencers": [ - "process.name", - "user.entity.id_computed", - "user.name", - "host.entity.id_computed", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_host_ea", + "job_id": "problem_child_high_sum_by_host_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_host_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_rare_process_by_parent_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for rare malicious child processes spawned by a parent process.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a parent process", - "detector_index": 0, - "function": "rare", - "partition_field_name": "process.parent.name" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "problem_child_high_sum_by_user_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for users with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "user.name", - "detector_description": "high sum of model hits by user", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "user.name", - "detector_description": "high sum of blocklist hits by user", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "user.entity.id_computed", - "user.name", - "host.entity.id_computed", - "host.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_user_ea", + "job_id": "problem_child_rare_process_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_user_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "problem_child_high_sum_by_parent_euid", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for parent process names with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of model hits by parent process", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of blocklist hits by parent process", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.entity.id_computed", - "host.name", - "user.entity.id_computed", - "user.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ], - "datafeeds": [ - { - "id": "datafeed-problem_child_rare_process_by_host_euid", - "job_id": "problem_child_rare_process_by_host_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_host_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + } + } + }, + { + "id": "datafeed-problem_child_rare_process_by_parent_ea", + "job_id": "problem_child_rare_process_by_parent_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_parent_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_host_euid", - "job_id": "problem_child_high_sum_by_host_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_host_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "datafeed-problem_child_rare_process_by_user_euid", - "job_id": "problem_child_rare_process_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_user_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_user_ea", + "job_id": "problem_child_high_sum_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_user_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_rare_process_by_parent_euid", - "job_id": "problem_child_rare_process_by_parent_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_parent_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_user_euid", - "job_id": "problem_child_high_sum_by_user_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_user_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_parent_ea", + "job_id": "problem_child_high_sum_by_parent_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_parent_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } } - }, - { - "id": "datafeed-problem_child_high_sum_by_parent_euid", - "job_id": "problem_child_high_sum_by_parent_euid", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_parent_euid", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - }, - "script_fields": { - "user.entity.id_computed": { - "script": { - "id": "euid_user_entity" - } - }, - "host.entity.id_computed": { - "script": { - "id": "euid_host_entity" - } - } - } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } } + ] } - ] - }, - "id": "problemchild-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} + } + } + } + ] + }, + "id": "problemchild-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} \ No newline at end of file From b1d11befd409c91ddddedfde5508570c0b70f4a3 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 9 Mar 2026 15:07:49 -0500 Subject: [PATCH 10/44] roll back minumum stack version changes --- packages/ded/manifest.yml | 2 +- packages/dga/manifest.yml | 2 +- packages/hta/manifest.yml | 2 +- packages/lmd/manifest.yml | 2 +- packages/pad/manifest.yml | 2 +- packages/problemchild/manifest.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/ded/manifest.yml b/packages/ded/manifest.yml index eb740a5c3ff..03176f9709f 100644 --- a/packages/ded/manifest.yml +++ b/packages/ded/manifest.yml @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^9.4.0" + version: "^8.10.1 || ^9.0.0" elastic: subscription: platinum capabilities: diff --git a/packages/dga/manifest.yml b/packages/dga/manifest.yml index 2825f46caff..91d7bb95b70 100644 --- a/packages/dga/manifest.yml +++ b/packages/dga/manifest.yml @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^9.4.0" + version: "^8.9.0 || ^9.0.0" elastic: subscription: platinum screenshots: diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index ef32d368994..3d3d735d062 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^9.4.0" + version: "^8.18.0 || ^9.0.0" elastic: subscription: platinum capabilities: diff --git a/packages/lmd/manifest.yml b/packages/lmd/manifest.yml index 4a4eab02480..3884ecf6b27 100644 --- a/packages/lmd/manifest.yml +++ b/packages/lmd/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^9.4.0" + version: "^8.9.0 || ^9.0.0" elastic: subscription: platinum capabilities: diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml index 156ff2404bf..4ac6c16c40b 100644 --- a/packages/pad/manifest.yml +++ b/packages/pad/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^9.4.0" + version: "^8.18.0 || ^9.0.0" elastic: subscription: platinum capabilities: diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index 28e9995a702..9b0b3785c0c 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^9.4.0" + version: "^8.9.0 || ^9.0.0" elastic: subscription: platinum capabilities: From c1a9f4f5846343d8ea3d514e24b0f478a16a5c83 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:15:40 -0500 Subject: [PATCH 11/44] update hta --- packages/hta/changelog.yml | 5 + ...-c3773b23-471c-4168-bb02-90489161ce51.json | 122 ++++++++++++++++++ packages/hta/manifest.yml | 4 +- 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index f88b08e73d9..a959d2fd7d5 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,3 +1,8 @@ +- version: "3.0.0" + changes: + - description: Introduce Entity Analytics + type: enhancement + link: https://github.com/elastic/integrations/pull/99999 - version: "2.0.0" changes: - description: Introduce Entity Analytics diff --git a/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json b/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json new file mode 100644 index 00000000000..3ff74c250a6 --- /dev/null +++ b/packages/hta/kibana/dashboard/hta-ea-c3773b23-471c-4168-bb02-90489161ce51.json @@ -0,0 +1,122 @@ +{ + "id": "hta-ea-c3773b23-471c-4168-bb02-90489161ce51", + "type": "dashboard", + "coreMigrationVersion": "8.8.0", + "migrationVersion": { + "dashboard": "8.9.0" + }, + "attributes": { + "version": 1, + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "panelsJSON": "{\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c3b118a-6b55-43c2-8f8a-7905debfeaf1\",\"fieldName\":\"host.name\",\"title\":\"host.name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{},\"existsSelected\":true,\"selectedOptions\":[]}},\"62d77b7e-89ca-4cd9-8528-8102395c7beb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"62d77b7e-89ca-4cd9-8528-8102395c7beb\",\"fieldName\":\"event.dataset\",\"title\":\"event.dataset\",\"grow\":false,\"width\":\"medium\",\"enhancements\":{}}}}", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}" + }, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "description": "This dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.", + "timeRestore": false, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":true,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":20,\"i\":\"2189938b-ac38-4a01-85a2-d05ef370375f\"},\"panelIndex\":\"2189938b-ac38-4a01-85a2-d05ef370375f\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"### Description\\nThis dashboard helps detect and understand traffic anomalies from hosts, such as sudden spikes or drops, which may indicate threats or system issues.\\n\\n### Instructions\\nEnable the following jobs in order to detect host traffic anomalies:\\n- high_count_events_for_a_host_name_ea\\n- low_count_events_for_a_host_name_ea\\n\\n### How to enable jobs\\nGo to **Machine Learning** **->** Under Anomaly Detection, select **Jobs** **->** Click **Create anomaly detection job** button **->** Select your data view (ex: \\\"logs-*\\\") **->** Select **Security: Host** **->** Click **Create jobs**\\n\\n[Documentation link \ud83d\udd17](https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html#security-host)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Description\"},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":10,\"h\":7,\"i\":\"d5406e02-23be-4706-b754-6c98322988f0\"},\"panelIndex\":\"d5406e02-23be-4706-b754-6c98322988f0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da\"}],\"state\":{\"visualization\":{\"layerId\":\"0878cf0f-9248-4259-9fde-be7d100dd7da\",\"layerType\":\"data\",\"metricAccessor\":\"0c941069-ccc2-461e-8a74-3e635d691757\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0878cf0f-9248-4259-9fde-be7d100dd7da\":{\"columns\":{\"0c941069-ccc2-461e-8a74-3e635d691757X0\":{\"label\":\"Part of Total Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"0c941069-ccc2-461e-8a74-3e635d691757\":{\"label\":\"Total Hosts\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"unique_count(host.name)\",\"isFormulaBroken\":false},\"references\":[\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"0c941069-ccc2-461e-8a74-3e635d691757\",\"0c941069-ccc2-461e-8a74-3e635d691757X0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":0,\"w\":12,\"h\":7,\"i\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\"},\"panelIndex\":\"095364c8-b16f-4a65-bc20-7e3d6434a7c5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810\"}],\"state\":{\"visualization\":{\"layerId\":\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\",\"layerType\":\"data\",\"metricAccessor\":\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f4e80a32-b042-4b35-a6f1-e63ca1f73810\":{\"columns\":{\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\":{\"label\":\"Part of Average traffic data\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"location\":{\"min\":1,\"max\":32},\"text\":\"count()/unique_count(host.name)\"},1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"(count()/unique_count(host.name))/1000000\"}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\"],\"customLabel\":true},\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\":{\"label\":\"Average traffic data\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"(count()/unique_count(host.name))/1000000\",\"isFormulaBroken\":false,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2,\"suffix\":\"mbps\"}}},\"references\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"filter\":{\"query\":\"event.category:* AND host.name:* AND event.dataset:* AND event.outcome: \\\"success\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"a3bbfd29-c023-41ce-8ebe-14fb165e36cc\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX0\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX1\",\"a3bbfd29-c023-41ce-8ebe-14fb165e36ccX2\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\"logs-*\"}},\"currentIndexPatternId\":\"logs-*\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":7,\"i\":\"17cbd05f-fe7c-409e-97ae-780476124c04\"},\"panelIndex\":\"17cbd05f-fe7c-409e-97ae-780476124c04\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d\"}],\"state\":{\"visualization\":{\"layerId\":\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\",\"layerType\":\"data\",\"metricAccessor\":\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5c67ed52-f853-4732-bdc0-8f6f26cff79d\":{\"columns\":{\"fb2439f6-2fdf-4d84-98c1-74d38902671c\":{\"label\":\"Hosts with unusual traffic\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true,\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}}},\"columnOrder\":[\"fb2439f6-2fdf-4d84-98c1-74d38902671c\"],\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true}},{\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":7,\"w\":10,\"h\":13,\"i\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\"},\"panelIndex\":\"d7840b4a-1b5d-444c-86b8-eebf0434709a\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{},\"attributes\":{\"title\":\"Total anomalies detected\",\"visualizationType\":\"lnsMetric\",\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#AA6556\",\"icon\":\"sortUp\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Total anomalies detected\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"},\"customLabel\":true}},\"columnOrder\":[\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"type\":\"lens\",\"savedObjectId\":\"fca78426-ea3d-4902-b761-2928d23a1191\"}}},{\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":13,\"i\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\"},\"panelIndex\":\"ff1b9e2c-5eda-4562-988c-081ed5cf6e73\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"breakdownByAccessor\":\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"maxCols\":1,\"color\":\"#6092C0\",\"icon\":\"sortDown\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"job_id : ( \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type :\\\"record\\\" \",\"language\":\"kuery\"}},\"ef522b68-f45e-43dd-9db4-aaccfc594e35\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Low Traffic Anomalies\",\"input\":{\"query\":\"\\\"job_id\\\" : \\\"low_count_events_for_a_host_name_ea\\\" \",\"language\":\"kuery\"}}]}}},\"columnOrder\":[\"ef522b68-f45e-43dd-9db4-aaccfc594e35\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":7,\"w\":12,\"h\":13,\"i\":\"1a35a792-12de-4450-a129-ace659dabd01\"},\"panelIndex\":\"1a35a792-12de-4450-a129-ace659dabd01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7\"}],\"state\":{\"visualization\":{\"layerId\":\"6dc48429-d618-4e6a-a307-9944d2ee13b7\",\"layerType\":\"data\",\"metricAccessor\":\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\",\"color\":\"#E7664C\",\"icon\":\"sortUp\",\"breakdownByAccessor\":\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6dc48429-d618-4e6a-a307-9944d2ee13b7\":{\"columns\":{\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":false},\"filter\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}},\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" )\",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalies\"}]}}},\"columnOrder\":[\"25a19bc8-91e1-4861-92ff-9e18f1432d3f\",\"3dfe28e1-c83f-44e3-9de2-e264a5ce2388\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}}},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":17,\"i\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\"},\"panelIndex\":\"2459f8bb-d57f-49ec-b472-aa1328baebd8\",\"embeddableConfig\":{\"jobIds\":[\"low_count_events_for_a_host_name_ea\",\"high_count_events_for_a_host_name_ea\"],\"panelTitle\":\"Anomalies detected per host\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"host.name\",\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Hosts with unusual traffic patterns\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":37,\"w\":24,\"h\":15,\"i\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\"},\"panelIndex\":\"6ca0394b-fa7b-4efe-b17d-e0823e8087b3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"isInside\":false,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"complimentary\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"low_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 low traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":37,\"w\":24,\"h\":15,\"i\":\"271e0000-4a5f-44fc-a346-f18b7642affb\"},\"panelIndex\":\"271e0000-4a5f-44fc-a346-f18b7642affb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"bottom\",\"shouldTruncate\":true,\"showSingleSeries\":false},\"valueLabels\":\"show\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal_stacked\",\"layers\":[{\"layerId\":\"914f81de-6cbc-4863-9e44-b69d323d41d2\",\"accessors\":[\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"position\":\"top\",\"seriesType\":\"bar_horizontal_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"xAccessor\":\"e7bc81ec-8882-4d97-816e-053c19412845\",\"palette\":{\"type\":\"palette\",\"name\":\"warm\"}}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"914f81de-6cbc-4863-9e44-b69d323d41d2\":{\"columns\":{\"f6970021-0d2e-4c33-9a26-9e15030a157a\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"\",\"input\":{\"query\":\"job_id : \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"}}]}},\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"e7bc81ec-8882-4d97-816e-053c19412845\":{\"label\":\"Top 5 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"f6970021-0d2e-4c33-9a26-9e15030a157a\",\"e7bc81ec-8882-4d97-816e-053c19412845\",\"4c5ed909-3d84-4ce1-a4ea-5faec188c3ca\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 high traffic hosts\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":16,\"i\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\"},\"panelIndex\":\"a4b62995-53a2-4172-baa7-dd1bd915ac7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"curveType\":\"CURVE_MONOTONE_X\",\"showCurrentTimeMarker\":false,\"valuesInLegend\":true,\"yLeftScale\":\"sqrt\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"d437f4ff-74ee-4331-801b-be6e5c990de0\",\"accessors\":[\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"splitAccessor\":\"206e9fca-0d44-41c6-9451-c7ed6d532d67\"},{\"layerId\":\"230b3abd-6bbd-4a50-8e51-14524532ad06\",\"layerType\":\"data\",\"accessors\":[\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"seriesType\":\"line\",\"xAccessor\":\"3a80d472-891e-4958-a27c-822d5d561b64\",\"yConfig\":[{\"forAccessor\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\",\"color\":\"#e7664c\"}],\"splitAccessor\":\"6d21d26b-7857-408f-917a-51dc7468fe9d\"}],\"endValue\":\"Zero\"},\"query\":{\"query\":\"job_id: (\\\"high_count_events_for_a_host_name_ea\\\" ) and host.name : * and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"result_type\",\"params\":{\"query\":\"influencer\"},\"index\":\"1acb5707-28a3-4440-800c-70da0d87725f\"},\"query\":{\"match_phrase\":{\"result_type\":\"influencer\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d437f4ff-74ee-4331-801b-be6e5c990de0\":{\"columns\":{\"05c80e04-0870-4876-a665-b4844ed36eb1\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"206e9fca-0d44-41c6-9451-c7ed6d532d67\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"05c80e04-0870-4876-a665-b4844ed36eb1\",\"206e9fca-0d44-41c6-9451-c7ed6d532d67\",\"e984c84e-806f-46a4-8ab1-0b0aa4a23fd6\"],\"incompleteColumns\":{},\"sampling\":1},\"230b3abd-6bbd-4a50-8e51-14524532ad06\":{\"linkToLayers\":[],\"columns\":{\"3a80d472-891e-4958-a27c-822d5d561b64\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":true}},\"34af8905-9648-4963-8c6e-f36fa638a8e1\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}},\"6d21d26b-7857-408f-917a-51dc7468fe9d\":{\"label\":\"Top 300 values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":300,\"orderBy\":{\"type\":\"column\",\"columnId\":\"34af8905-9648-4963-8c6e-f36fa638a8e1\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"6d21d26b-7857-408f-917a-51dc7468fe9d\",\"3a80d472-891e-4958-a27c-822d5d561b64\",\"34af8905-9648-4963-8c6e-f36fa638a8e1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Hosts with spikes in traffic\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":48,\"h\":13,\"i\":\"c56c231d-ca87-4311-9827-50562563cf34\"},\"panelIndex\":\"c56c231d-ca87-4311-9827-50562563cf34\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Anomalies detected over time\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6\"},{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"large\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\",\"accessors\":[\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"temperature\"},\"xAccessor\":\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"splitAccessor\":\"afcd1239-1670-4b38-97c6-60dd18720834\"},{\"layerId\":\"a4a449ad-43c4-4d81-bb00-92ce098247a6\",\"layerType\":\"data\",\"accessors\":[\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"seriesType\":\"line\",\"xAccessor\":\"a5ac8da2-140e-4b67-9685-08424ee93fc3\"},{\"layerId\":\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\",\"layerType\":\"data\",\"accessors\":[\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"seriesType\":\"line\",\"xAccessor\":\"d6a8746c-e875-4e90-b370-16d03e0d0cec\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c79ffa3c-754a-48ab-ba60-46afd0d7ff3c\":{\"columns\":{\"3fc83bd9-2314-436e-8b61-4a8f5694e509\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"afcd1239-1670-4b38-97c6-60dd18720834\":{\"label\":\"Filters\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"input\":{\"query\":\"job_id: \\\"low_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"Low Traffic Anomalies\"},{\"input\":{\"query\":\"job_id: \\\"high_count_events_for_a_host_name_ea\\\" and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"label\":\"High Traffic Anomalis\"}]}},\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3fc83bd9-2314-436e-8b61-4a8f5694e509\",\"afcd1239-1670-4b38-97c6-60dd18720834\",\"5a7ea0d2-b833-43a0-b2ee-760491aa7c20\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"a4a449ad-43c4-4d81-bb00-92ce098247a6\":{\"linkToLayers\":[],\"columns\":{\"a5ac8da2-140e-4b67-9685-08424ee93fc3\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\":{\"label\":\"Average of actual\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"a5ac8da2-140e-4b67-9685-08424ee93fc3\",\"16dbf6a1-9df7-46e0-bb21-f1968227cfb0\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}},\"b36bcefe-42ed-4e91-b487-4b2c8652f4f5\":{\"linkToLayers\":[],\"columns\":{\"d6a8746c-e875-4e90-b370-16d03e0d0cec\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"d\",\"includeEmptyRows\":false,\"dropPartials\":true}},\"4ac4ae30-2b63-4f92-926b-a3367c126709\":{\"label\":\"Average of typical\",\"dataType\":\"number\",\"operationType\":\"average\",\"sourceField\":\"typical\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true,\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\"\",\"language\":\"kuery\"}}},\"columnOrder\":[\"d6a8746c-e875-4e90-b370-16d03e0d0cec\",\"4ac4ae30-2b63-4f92-926b-a3367c126709\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}}},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":81,\"w\":24,\"h\":15,\"i\":\"7730f065-9101-453b-886c-addc2f2fa726\"},\"panelIndex\":\"7730f065-9101-453b-886c-addc2f2fa726\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}],\"layerId\":\"c7ce8741-3831-487f-8227-1d97a4bf565a\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c7ce8741-3831-487f-8227-1d97a4bf565a\":{\"columns\":{\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a9a3a723-ad58-495c-b744-84990d1a7fb1\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"b17e458f-5564-4c49-b5b0-4f26bd3737bc\",\"a9a3a723-ad58-495c-b744-84990d1a7fb1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with low traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":81,\"w\":24,\"h\":15,\"i\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\"},\"panelIndex\":\"694ec862-3b9b-4c2d-9856-6dbec333774d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61\"}],\"state\":{\"visualization\":{\"layerId\":\"1f385df7-2895-46aa-acd1-fb65378dbe61\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\"},{\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1f385df7-2895-46aa-acd1-fb65378dbe61\":{\"columns\":{\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f305e930-2710-45aa-9fbb-1cd06722e1ce\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":false}}},\"columnOrder\":[\"bfc1fa28-d585-44a7-9dc6-1a89a2ac076a\",\"f305e930-2710-45aa-9fbb-1cd06722e1ce\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 5 hosts with high traffic anomalies\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":96,\"w\":24,\"h\":15,\"i\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\"},\"panelIndex\":\"0ddae9ae-f243-4fe9-9f02-0692c89e597e\",\"embeddableConfig\":{\"enhancements\":{},\"attributes\":{\"title\":\"Top 5 host names with zero traffic count\",\"visualizationType\":\"lnsDatatable\",\"state\":{\"visualization\":{\"layerId\":\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"isTransposed\":false,\"isMetric\":false},{\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\",\"isTransposed\":false,\"isMetric\":true,\"hidden\":true}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ccb0e613-5210-466d-b06c-dd551d3d2c3d\":{\"columns\":{\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\":{\"label\":\"Host name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"fb904bf7-140d-448d-94e8-b4f99b363eba\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fb904bf7-140d-448d-94e8-b4f99b363eba\":{\"label\":\"Median of actual\",\"dataType\":\"number\",\"operationType\":\"median\",\"sourceField\":\"actual\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"job_id : (\\\"high_count_events_for_a_host_name_ea\\\" or \\\"low_count_events_for_a_host_name_ea\\\" ) and result_type : \\\"record\\\" and actual:0\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"4e6985ee-e7c1-436e-92b9-8533edbde0d0\",\"fb904bf7-140d-448d-94e8-b4f99b363eba\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}},\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d\"}],\"type\":\"lens\",\"savedObjectId\":\"0c768d12-300d-4b07-aff5-dffbf394e1f5\"}}}]", + "title": "Host Traffic Anomalies (Entity Analytics)" + }, + "references": [ + { + "type": "index-pattern", + "id": "logs-*", + "name": "d5406e02-23be-4706-b754-6c98322988f0:indexpattern-datasource-layer-0878cf0f-9248-4259-9fde-be7d100dd7da" + }, + { + "type": "index-pattern", + "id": "logs-*", + "name": "095364c8-b16f-4a65-bc20-7e3d6434a7c5:indexpattern-datasource-layer-f4e80a32-b042-4b35-a6f1-e63ca1f73810" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "17cbd05f-fe7c-409e-97ae-780476124c04:indexpattern-datasource-layer-5c67ed52-f853-4732-bdc0-8f6f26cff79d" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "d7840b4a-1b5d-444c-86b8-eebf0434709a:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "ff1b9e2c-5eda-4562-988c-081ed5cf6e73:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "1a35a792-12de-4450-a129-ace659dabd01:indexpattern-datasource-layer-6dc48429-d618-4e6a-a307-9944d2ee13b7" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "6ca0394b-fa7b-4efe-b17d-e0823e8087b3:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "271e0000-4a5f-44fc-a346-f18b7642affb:indexpattern-datasource-layer-914f81de-6cbc-4863-9e44-b69d323d41d2" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-d437f4ff-74ee-4331-801b-be6e5c990de0" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "a4b62995-53a2-4172-baa7-dd1bd915ac7d:indexpattern-datasource-layer-230b3abd-6bbd-4a50-8e51-14524532ad06" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-c79ffa3c-754a-48ab-ba60-46afd0d7ff3c" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-a4a449ad-43c4-4d81-bb00-92ce098247a6" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "c56c231d-ca87-4311-9827-50562563cf34:indexpattern-datasource-layer-b36bcefe-42ed-4e91-b487-4b2c8652f4f5" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "7730f065-9101-453b-886c-addc2f2fa726:indexpattern-datasource-layer-c7ce8741-3831-487f-8227-1d97a4bf565a" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "694ec862-3b9b-4c2d-9856-6dbec333774d:indexpattern-datasource-layer-1f385df7-2895-46aa-acd1-fb65378dbe61" + }, + { + "type": "index-pattern", + "id": ".ml-anomalies-shared", + "name": "0ddae9ae-f243-4fe9-9f02-0692c89e597e:indexpattern-datasource-layer-ccb0e613-5210-466d-b06c-dd551d3d2c3d" + }, + { + "name": "controlGroup_9c3b118a-6b55-43c2-8f8a-7905debfeaf1:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "name": "controlGroup_62d77b7e-89ca-4cd9-8528-8102395c7beb:optionsListDataView", + "type": "index-pattern", + "id": "logs-*" + }, + { + "type": "tag", + "id": "hta-192d4418-0096-4ebd-9699-d961b8c8f6f7", + "name": "tag-hta-192d4418-0096-4ebd-9699-d961b8c8f6f7" + } + ] +} \ No newline at end of file diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index 3d3d735d062..b88cad4547f 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: hta title: "Host Traffic Anomalies" -version: 2.0.0 +version: 3.0.0 source: license: "Elastic-2.0" description: "Prebuilt dashboard for Machine Learning module Security: Host." @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: From fd49b30d7a3e5d70e27927e3a4b123a190d777c5 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:16:22 -0500 Subject: [PATCH 12/44] remove `agent.name` from PAD windows transform --- .../pivot_transform_win_privilege_list_ea/fields/fields.yml | 2 -- .../pivot_transform_win_privilege_list_ea/transform.yml | 3 --- 2 files changed, 5 deletions(-) diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml index 389d98d0e87..4fadf9d8d6a 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml @@ -1,5 +1,3 @@ -- name: agent.name - type: keyword - external: ecs name: host.name - external: ecs diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml index 84dfc038b45..38a1b0a07f7 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml @@ -34,9 +34,6 @@ pivot: max: field: '@timestamp' group_by: - agent.name: - terms: - field: agent.name 'host.name': terms: field: host.name From c44062ef430ee709a978e00b98ffc2e9363353c9 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:40:55 -0500 Subject: [PATCH 13/44] fix formatting --- .../pivot_transform_ea/fields/fields.yml | 2 +- packages/ded/kibana/ml_module/ded-ml.json | 1146 ++--- packages/dga/kibana/ml_module/dga-ml.json | 220 +- packages/lmd/kibana/ml_module/lmd-ml.json | 1852 +++---- .../fields/fields.yml | 2 +- packages/pad/kibana/ml_module/pad-ml.json | 4579 ++++++++--------- .../kibana/ml_module/problemchild-ml.json | 1126 ++-- 7 files changed, 4452 insertions(+), 4475 deletions(-) diff --git a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index 45c7074f3b2..6a964dca9dd 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -29,4 +29,4 @@ - external: ecs name: destination.geo.region_name - external: ecs - name: destination.geo.city_name \ No newline at end of file + name: destination.geo.city_name diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index ee3acb0e55a..e0443e3584e 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -1,586 +1,586 @@ { - "attributes": { - "id": "ded-ml", - "title": "Data Exfiltration Detection", - "description": "Detects data exfiltration activity in your network and file data.", - "type": "ded", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { + "attributes": { + "id": "ded-ml", + "title": "Data Exfiltration Detection", + "description": "Detects data exfiltration activity in your network and file data.", + "type": "ded", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination" - } + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination" + } + } + ] + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual country iso code", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.country_iso_code", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.continent_name", - "destination.geo.country_name", - "destination.geo.country_iso_code" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_ip_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by IP address).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual IP address", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_port_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual destination port.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual destination port", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.port", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "source.ip", - "destination.ip", - "destination.port" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_sent_bytes_destination_region_name_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration to an unusual geo-location (by region name).", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High bytes sent to an unusual region", - "function": "high_sum", - "field_name": "source.bytes", - "over_field_name": "destination.geo.region_name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "source.ip", - "destination.ip", - "destination.geo.city_name", - "destination.geo.region_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_rare_process_writing_to_external_device_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process writing to an external device", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "file.name", - "file.path", - "file.Ext.device.bus_type", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - }, - { - "id": "ded_high_bytes_written_to_external_device_airdrop_ea", - "config": { - "groups": [ - "security", - "data_exfiltration" - ], - "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "High bytes written to an external device using Airdrop", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "file.name", - "file.path", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-ded" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_ea", - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + "jobs": [ + { + "id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by country iso code).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual country iso code", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.country_iso_code", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.continent_name", + "destination.geo.country_name", + "destination.geo.country_iso_code" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_ip_ea", - "job_id": "ded_high_sent_bytes_destination_ip_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_ip_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_ip_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by IP address).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual IP address", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_port_ea", - "job_id": "ded_high_sent_bytes_destination_port_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_port_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_port_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual destination port.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual destination port", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.port", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.port" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_sent_bytes_destination_region_name_ea", - "job_id": "ded_high_sent_bytes_destination_region_name_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_sent_bytes_destination_region_name_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "network" - } - }, - { - "exists": { - "field": "source.bytes" - } - }, - { - "exists": { - "field": "destination.port" - } + }, + { + "id": "ded_high_sent_bytes_destination_region_name_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration to an unusual geo-location (by region name).", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High bytes sent to an unusual region", + "function": "high_sum", + "field_name": "source.bytes", + "over_field_name": "destination.geo.region_name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "source.ip", + "destination.ip", + "destination.geo.city_name", + "destination.geo.region_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_ea", - "job_id": "ded_high_bytes_written_to_external_device_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + }, + { + "id": "ded_high_bytes_written_to_external_device_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] - } - } - } - }, - { - "id": "datafeed-ded_rare_process_writing_to_external_device_ea", - "job_id": "ded_rare_process_writing_to_external_device_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_rare_process_writing_to_external_device_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "host.os.type": "windows" - } - }, - { - "exists": { - "field": "file.Ext.device.bus_type" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + }, + { + "id": "ded_rare_process_writing_to_external_device_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying a file write started by a rare process to an external device.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process writing to an external device", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "file.Ext.device.bus_type", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } + } + }, + { + "id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "config": { + "groups": [ + "security", + "data_exfiltration" + ], + "description": "Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "High bytes written to an external device using Airdrop", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name", + "file.path", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-ded" + } } - ] } - } - } - }, - { - "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_ea", - "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "process.name": "sharingd" - } - }, - { - "term": { - "host.os.type": "macos" - } - }, - { - "terms": { - "event.action": [ - "creation", - "overwrite", - "modification" - ] - } + ], + "datafeeds": [ + { + "id": "datafeed-ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_geo_country_iso_code_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_ip_ea", + "job_id": "ded_high_sent_bytes_destination_ip_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_ip_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_port_ea", + "job_id": "ded_high_sent_bytes_destination_port_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_port_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_sent_bytes_destination_region_name_ea", + "job_id": "ded_high_sent_bytes_destination_region_name_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_sent_bytes_destination_region_name_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "network" + } + }, + { + "exists": { + "field": "source.bytes" + } + }, + { + "exists": { + "field": "destination.port" + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_ea", + "job_id": "ded_high_bytes_written_to_external_device_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_rare_process_writing_to_external_device_ea", + "job_id": "ded_rare_process_writing_to_external_device_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_rare_process_writing_to_external_device_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "host.os.type": "windows" + } + }, + { + "exists": { + "field": "file.Ext.device.bus_type" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-ded_high_bytes_written_to_external_device_airdrop_ea", + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "ded_high_bytes_written_to_external_device_airdrop_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "process.name": "sharingd" + } + }, + { + "term": { + "host.os.type": "macos" + } + }, + { + "terms": { + "event.action": [ + "creation", + "overwrite", + "modification" + ] + } + } + ] + } + } } - ] } - } - } - } - ] - }, - "id": "ded-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + ] + }, + "id": "ded-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/dga/kibana/ml_module/dga-ml.json b/packages/dga/kibana/ml_module/dga-ml.json index 56a00ef7ab9..5628ef1216c 100644 --- a/packages/dga/kibana/ml_module/dga-ml.json +++ b/packages/dga/kibana/ml_module/dga-ml.json @@ -1,115 +1,115 @@ { - "attributes": { - "id": "dga-ml", - "title": "DGA", - "description": "Detect domain generation algorithm (DGA) activity in your network data.", - "type": "DGA", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "dga_high_sum_probability_ea", - "config": { - "groups": [ - "security", - "dga" - ], - "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "high probability of DGA activity", - "detector_index": 0, - "field_name": "ml_is_dga.malicious_probability", - "function": "high_sum", - "over_field_name": "source.ip" - } - ], - "influencers": [ - "source.ip", - "host.name", - "host.id" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-dga" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-dga_high_sum_probability_ea", - "job_id": "dga_high_sum_probability_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "dga_high_sum_probability_ea", - "query": { + "attributes": { + "id": "dga-ml", + "title": "DGA", + "description": "Detect domain generation algorithm (DGA) activity in your network data.", + "type": "DGA", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "ml_is_dga.malicious_probability" - } + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } + } + } + }, + "jobs": [ + { + "id": "dga_high_sum_probability_ea", + "config": { + "groups": [ + "security", + "dga" + ], + "description": "Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "high probability of DGA activity", + "detector_index": 0, + "field_name": "ml_is_dga.malicious_probability", + "function": "high_sum", + "over_field_name": "source.ip" + } + ], + "influencers": [ + "source.ip", + "host.name", + "host.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-dga" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + } + ], + "datafeeds": [ + { + "id": "datafeed-dga_high_sum_probability_ea", + "job_id": "dga_high_sum_probability_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "dga_high_sum_probability_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "ml_is_dga.malicious_probability" + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } } - ] } - } - } - } - ] - }, - "id": "dga-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + ] + }, + "id": "dga-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index d3bd5a477d5..37188224cd6 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -1,947 +1,947 @@ { - "attributes": { - "id": "lmd-ml", - "title": "Lateral Movement Detection", - "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", - "type": "lmd", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "term": { - "event.category": "file" - } - }, - { + "attributes": { + "id": "lmd-ml", + "title": "Lateral Movement Detection", + "description": "Detects lateral movement activity by identifying malicious file transfers and suspicious RDP sessions in an environment.", + "type": "lmd", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "filter": [ - { - "exists": { - "field": "session.start_time" - } + "should": [ + { + "term": { + "event.category": "file" + } + }, + { + "bool": { + "filter": [ + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ] } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "lmd_high_count_remote_file_transfer_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high file transfers to a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", - "function": "high_count", - "by_field_name": "event.action", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_file_size_remote_file_transfer_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high size of files shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", - "function": "high_sum", - "field_name": "file.size", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_extension_remote_transfer_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects rare file extensions shared with a remote host in the network.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file.extension", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "file.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_rare_file_path_remote_transfer_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusual folders and directories on which a file is transferred.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "detector_description": "rare by file_directory partitionfield=\"host.name\"", - "function": "rare", - "by_field_name": "file_directory", - "partition_field_name": "host.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "file.path" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_session_duration_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high mean of RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_var_rdp_session_duration_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high variance in RDP session duration.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", - "function": "high_varp", - "field_name": "session.duration", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_sum_rdp_number_of_processes_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of processes started in a single RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", - "function": "high_sum", - "field_name": "number_processes_per_session", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_unusual_time_weekday_rdp_session_start_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects an RDP session started at an usual time or weekday.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "time_of_week partitionfield=\"source.ip\"", - "function": "time_of_week", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "destination.ip", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", - "function": "high_distinct_count", - "field_name": "source.ip", - "partition_field_name": "destination.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", - "function": "high_distinct_count", - "field_name": "destination.ip", - "partition_field_name": "source.ip", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - }, - { - "id": "lmd_high_mean_rdp_process_args_ea", - "config": { - "groups": [ - "security", - "lateral_movement" - ], - "description": "Detects unusually high number of process arguments in an RDP session.", - "analysis_config": { - "bucket_span": "6h", - "detectors": [ - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "source.ip", - "detector_index": 0 - }, - { - "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", - "function": "high_mean", - "field_name": "total_length_process_args", - "partition_field_name": "destination.ip", - "detector_index": 1 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "destination.ip" - ] - }, - "data_description": { - "time_field": "session.start_time", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-lmd" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-lmd_high_count_remote_file_transfer_ea", - "job_id": "lmd_high_count_remote_file_transfer_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_count_remote_file_transfer_ea", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + "jobs": [ + { + "id": "lmd_high_count_remote_file_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high file transfers to a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_count by \"event.action\" partitionfield=\"host.name\"", + "function": "high_count", + "by_field_name": "event.action", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_high_file_size_remote_file_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high size of files shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "high_sum(\"file.size\") partitionfield=\"host.name\"", + "function": "high_sum", + "field_name": "file.size", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_file_size_remote_file_transfer_ea", - "job_id": "lmd_high_file_size_remote_file_transfer_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_file_size_remote_file_transfer_ea", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + { + "id": "lmd_rare_file_extension_remote_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects rare file extensions shared with a remote host in the network.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by \"file.extension\" partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file.extension", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_rare_file_path_remote_transfer_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusual folders and directories on which a file is transferred.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "detector_description": "rare by file_directory partitionfield=\"host.name\"", + "function": "rare", + "by_field_name": "file_directory", + "partition_field_name": "host.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "file.path" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_rare_file_extension_remote_transfer_ea", - "job_id": "lmd_rare_file_extension_remote_transfer_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_extension_remote_transfer_ea", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + { + "id": "lmd_high_mean_rdp_session_duration_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high mean of RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(session.duration) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(session.duration) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "lmd_high_var_rdp_session_duration_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high variance in RDP session duration.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_varp(session.duration) partitionfield=\"source.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_varp(session.duration) partitionfield=\"destination.ip\"", + "function": "high_varp", + "field_name": "session.duration", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_mean_rdp_session_duration_ea", - "job_id": "lmd_high_mean_rdp_session_duration_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_session_duration_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_sum_rdp_number_of_processes_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of processes started in a single RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"source.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_sum(number_processes_per_session) partitionfield=\"destination.ip\"", + "function": "high_sum", + "field_name": "number_processes_per_session", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_var_rdp_session_duration_ea", - "job_id": "lmd_high_var_rdp_session_duration_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_var_rdp_session_duration_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects an RDP session started at an usual time or weekday.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "time_of_week partitionfield=\"source.ip\"", + "function": "time_of_week", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "destination.ip", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_sum_rdp_number_of_processes_ea", - "job_id": "lmd_high_sum_rdp_number_of_processes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_sum_rdp_number_of_processes_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of source IPs making an RDP connection with a single destination IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"source.ip\") partitionfield=\"destination.ip\"", + "function": "high_distinct_count", + "field_name": "source.ip", + "partition_field_name": "destination.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_ea", - "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects a high count of destination IPs establishing an RDP connection with a single source IP.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_distinct_count(\"destination.ip\") partitionfield=\"source.ip\"", + "function": "high_distinct_count", + "field_name": "destination.ip", + "partition_field_name": "source.ip", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_ea", - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "lmd_high_mean_rdp_process_args_ea", + "config": { + "groups": [ + "security", + "lateral_movement" + ], + "description": "Detects unusually high number of process arguments in an RDP session.", + "analysis_config": { + "bucket_span": "6h", + "detectors": [ + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"source.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "source.ip", + "detector_index": 0 + }, + { + "detector_description": "high_mean(total_length_process_args) partitionfield=\"destination.ip\"", + "function": "high_mean", + "field_name": "total_length_process_args", + "partition_field_name": "destination.ip", + "detector_index": 1 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "destination.ip" + ] + }, + "data_description": { + "time_field": "session.start_time", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-lmd" + } } - ] } - } - } - }, - { - "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_ea", - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + ], + "datafeeds": [ + { + "id": "datafeed-lmd_high_count_remote_file_transfer_ea", + "job_id": "lmd_high_count_remote_file_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_count_remote_file_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_high_mean_rdp_process_args_ea", - "job_id": "lmd_high_mean_rdp_process_args_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_high_mean_rdp_process_args_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "destination.ip" - } - }, - { - "exists": { - "field": "session.start_time" - } + }, + { + "id": "datafeed-lmd_high_file_size_remote_file_transfer_ea", + "job_id": "lmd_high_file_size_remote_file_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_file_size_remote_file_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + } } - ] - } - } - } - }, - { - "id": "datafeed-lmd_rare_file_path_remote_transfer_ea", - "job_id": "lmd_rare_file_path_remote_transfer_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "lmd_rare_file_path_remote_transfer_ea", - "query": { - "bool": { - "must_not": [ - { - "terms": { - "user.name": [ - "SYSTEM", - "root" - ] - } + }, + { + "id": "datafeed-lmd_rare_file_extension_remote_transfer_ea", + "job_id": "lmd_rare_file_extension_remote_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_extension_remote_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + } } - ], - "filter": [ - { - "term": { - "event.category": "file" - } - }, - { - "term": { - "event.action": "creation" - } - }, - { - "terms": { - "process.name": [ - "System", - "scp", - "sshd", - "smbd", - "vsftpd", - "sftp-server" - ] - } - }, - { - "exists": { - "field": "process.name" - } - }, - { - "exists": { - "field": "file.name" - } + }, + { + "id": "datafeed-lmd_high_mean_rdp_session_duration_ea", + "job_id": "lmd_high_mean_rdp_session_duration_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_session_duration_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_var_rdp_session_duration_ea", + "job_id": "lmd_high_var_rdp_session_duration_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_var_rdp_session_duration_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_sum_rdp_number_of_processes_ea", + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_sum_rdp_number_of_processes_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_unusual_time_weekday_rdp_session_start_ea", + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_unusual_time_weekday_rdp_session_start_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_high_mean_rdp_process_args_ea", + "job_id": "lmd_high_mean_rdp_process_args_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_high_mean_rdp_process_args_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "destination.ip" + } + }, + { + "exists": { + "field": "session.start_time" + } + } + ] + } + } + } + }, + { + "id": "datafeed-lmd_rare_file_path_remote_transfer_ea", + "job_id": "lmd_rare_file_path_remote_transfer_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "lmd_rare_file_path_remote_transfer_ea", + "query": { + "bool": { + "must_not": [ + { + "terms": { + "user.name": [ + "SYSTEM", + "root" + ] + } + } + ], + "filter": [ + { + "term": { + "event.category": "file" + } + }, + { + "term": { + "event.action": "creation" + } + }, + { + "terms": { + "process.name": [ + "System", + "scp", + "sshd", + "smbd", + "vsftpd", + "sftp-server" + ] + } + }, + { + "exists": { + "field": "process.name" + } + }, + { + "exists": { + "field": "file.name" + } + } + ] + } + }, + "runtime_mappings": { + "file_directory": { + "type": "keyword", + "script": { + "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" + } + } + } } - ] - } - }, - "runtime_mappings": { - "file_directory": { - "type": "keyword", - "script": { - "source": "def st=new String();\r\ndef st1=new String(); \r\nif(doc.containsKey('file.path') && doc['file.path'].size() != 0 )\r\n{st=doc['file.path'].value.replace('/','\\\\').splitOnToken('\\\\')[-1]; \r\nst1=doc['file.path'].value.replace(st,\"\");\r\n emit((st1));} else { emit('None');}" - } } - } - } - } - ] - }, - "id": "lmd-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + ] + }, + "id": "lmd-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index daa1675fff2..20fb116120c 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -13,4 +13,4 @@ - external: ecs name: agent.name - external: ecs - name: '@timestamp' \ No newline at end of file + name: '@timestamp' diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index ae5bdb7ba1b..4fbe43da6f6 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,1272 +1,1267 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } } - }, - { - "exists": { - "field": "winlog.event_id" + ] + } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } } - } - ] + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" ] } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] } } - } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_group_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_group_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_device_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_device_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.name", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "user.name", - "event.module", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "user.name", + "event.module", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } } - } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_ea", - "job_id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_ea", "job_id": "pad_windows_high_count_special_logon_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", - "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } } - }, + ], + "must_not": [ { "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_ea", + "job_id": "pad_windows_high_count_group_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } } - }, + ], + "must_not": [ { "terms": { - "event.code": [ - "4673", - "4674" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_ea", - "job_id": "pad_windows_high_count_group_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", - "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_ea", - "job_id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_ea", "job_id": "pad_windows_rare_group_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_ea", - "job_id": "pad_windows_rare_device_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_ea", "job_id": "pad_windows_rare_device_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - } - ], + ], "must_not": [ { "terms": { @@ -1274,1177 +1269,1159 @@ "log_on", "created_process" ] - } - }, + } + }, { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", - "job_id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", "job_id": "pad_windows_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { "event.action": [ "log_on", "created_process" ] - } - }, + } + }, { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_ea", - "job_id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_ea", "job_id": "pad_windows_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { "event.action": [ "log_on", "created_process" ] - } - }, + } + }, { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] + } } - }, - { - "term": { - "event.category": "process" + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } } - }, + ] + } + } + } + }, { - "terms": { - "event.type": [ - "start", - "change" - ] + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] + } } - }, + ] + } + } + } + }, { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "user.name" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 } } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.user_membership.add", - "group.user_membership.remove" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.privilege.grant", - "group.privilege.revoke" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete" - ] - } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } + } + ] } - ] - } + } } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] } } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", - "job_id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, + }, { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_ea", - "job_id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + "id": "datafeed-pad_okta_rare_region_name_by_user_ea", "job_id": "pad_okta_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_ea", - "job_id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, + }, { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + "job_id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } } - } - ] + ] + } } } } - } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index f8ccdb9afd9..6f59ce8232c 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -1,579 +1,579 @@ { - "attributes": { - "id": "problemchild-ml", - "title": "Living off the Land Attack Detection", - "description": "Detects potential living off the land activity by identifying malicious processes.", - "type": "ProblemChild", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "problemchild.prediction" - } - }, - { - "exists": { - "field": "blocklist_label" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] - } - } - } - }, - "jobs": [ - { - "id": "problem_child_rare_process_by_host_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a host", - "detector_index": 0, - "function": "rare", - "partition_field_name": "host.name" - } - ], - "influencers": [ - "process.name", - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_host_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for hosts with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "host.name", - "detector_description": "high sum of model hits by host", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "host.name", - "detector_description": "high sum of blocklist hits by host", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_rare_process_by_user_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a user", - "detector_index": 0, - "function": "rare", - "partition_field_name": "user.name" - } - ], - "influencers": [ - "process.name", - "user.name", - "event.module", - "user.id", - "host.name", - "host.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_rare_process_by_parent_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for rare malicious child processes spawned by a parent process.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.name", - "detector_description": "rare process given a parent process", - "detector_index": 0, - "function": "rare", - "partition_field_name": "process.parent.name" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "host.id", - "user.name", - "event.module", - "user.id" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_user_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for users with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "user.name", - "detector_description": "high sum of model hits by user", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "user.name", - "detector_description": "high sum of blocklist hits by user", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "user.name", - "event.module", - "user.id", - "host.name", - "host.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - }, - { - "id": "problem_child_high_sum_by_parent_ea", - "config": { - "groups": [ - "living_off_the_land", - "security" - ], - "description": "Looks for parent process names with one or more potentially malicious child processes.", - "analysis_config": { - "bucket_span": "15m", - "detectors": [ - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of model hits by parent process", - "detector_index": 0, - "field_name": "problemchild.prediction_probability", - "function": "high_sum" - }, - { - "by_field_name": "process.parent.name", - "detector_description": "high sum of blocklist hits by parent process", - "detector_index": 0, - "field_name": "blocklist_label", - "function": "high_sum" - } - ], - "influencers": [ - "process.name", - "process.parent.name", - "process.command_line", - "host.name", - "host.id", - "user.name", - "event.module", - "user.id" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-problem-child" - } - } - } - ], - "datafeeds": [ - { - "id": "datafeed-problem_child_rare_process_by_host_ea", - "job_id": "problem_child_rare_process_by_host_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_host_ea", - "query": { + "attributes": { + "id": "problemchild-ml", + "title": "Living off the Land Attack Detection", + "description": "Detects potential living off the land activity by identifying malicious processes.", + "type": "ProblemChild", + "logo": { + "icon": "machineLearningApp" + }, + "query": { "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "problemchild.prediction" + } + }, + { + "exists": { + "field": "blocklist_label" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_host_ea", - "job_id": "problem_child_high_sum_by_host_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_host_ea", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + }, + "jobs": [ + { + "id": "problem_child_rare_process_by_host_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a host", + "detector_index": 0, + "function": "rare", + "partition_field_name": "host.name" + } + ], + "influencers": [ + "process.name", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_high_sum_by_host_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for hosts with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "host.name", + "detector_description": "high sum of model hits by host", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "host.name", + "detector_description": "high sum of blocklist hits by host", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] - } - } - } - }, - { - "id": "datafeed-problem_child_rare_process_by_user_ea", - "job_id": "problem_child_rare_process_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_user_ea", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + }, + { + "id": "problem_child_rare_process_by_user_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a user", + "detector_index": 0, + "function": "rare", + "partition_field_name": "user.name" + } + ], + "influencers": [ + "process.name", + "user.name", + "event.module", + "user.id", + "host.name", + "host.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_rare_process_by_parent_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for rare malicious child processes spawned by a parent process.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.name", + "detector_description": "rare process given a parent process", + "detector_index": 0, + "function": "rare", + "partition_field_name": "process.parent.name" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] - } - } - } - }, - { - "id": "datafeed-problem_child_rare_process_by_parent_ea", - "job_id": "problem_child_rare_process_by_parent_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_rare_process_by_parent_ea", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + }, + { + "id": "problem_child_high_sum_by_user_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for users with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "user.name", + "detector_description": "high sum of model hits by user", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "user.name", + "detector_description": "high sum of blocklist hits by user", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "user.name", + "event.module", + "user.id", + "host.name", + "host.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "problem_child_high_sum_by_parent_ea", + "config": { + "groups": [ + "living_off_the_land", + "security" + ], + "description": "Looks for parent process names with one or more potentially malicious child processes.", + "analysis_config": { + "bucket_span": "15m", + "detectors": [ + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of model hits by parent process", + "detector_index": 0, + "field_name": "problemchild.prediction_probability", + "function": "high_sum" + }, + { + "by_field_name": "process.parent.name", + "detector_description": "high sum of blocklist hits by parent process", + "detector_index": 0, + "field_name": "blocklist_label", + "function": "high_sum" + } + ], + "influencers": [ + "process.name", + "process.parent.name", + "process.command_line", + "host.name", + "host.id", + "user.name", + "event.module", + "user.id" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-problem-child" + } } - ] } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_user_ea", - "job_id": "problem_child_high_sum_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_user_ea", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + ], + "datafeeds": [ + { + "id": "datafeed-problem_child_rare_process_by_host_ea", + "job_id": "problem_child_rare_process_by_host_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_host_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "datafeed-problem_child_high_sum_by_host_ea", + "job_id": "problem_child_high_sum_by_host_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_host_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } } - ] - } - } - } - }, - { - "id": "datafeed-problem_child_high_sum_by_parent_ea", - "job_id": "problem_child_high_sum_by_parent_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "problem_child_high_sum_by_parent_ea", - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match": { - "problemchild.prediction": 1 - } - }, - { - "match": { - "blocklist_label": 1 - } + }, + { + "id": "datafeed-problem_child_rare_process_by_user_ea", + "job_id": "problem_child_rare_process_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_user_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "elastic-endpoint.exe", - "elastic-endpoint", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } + }, + { + "id": "datafeed-problem_child_rare_process_by_parent_ea", + "job_id": "problem_child_rare_process_by_parent_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_rare_process_by_parent_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_user_ea", + "job_id": "problem_child_high_sum_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_user_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-problem_child_high_sum_by_parent_ea", + "job_id": "problem_child_high_sum_by_parent_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "problem_child_high_sum_by_parent_ea", + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match": { + "problemchild.prediction": 1 + } + }, + { + "match": { + "blocklist_label": 1 + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "elastic-endpoint.exe", + "elastic-endpoint", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } } - ] } - } - } - } - ] - }, - "id": "problemchild-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" -} \ No newline at end of file + ] + }, + "id": "problemchild-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" +} From 5adcdef4ae62e6119d3438223ce683b4ba7322ce Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 10 Mar 2026 11:49:22 -0500 Subject: [PATCH 14/44] update documentation to match kibana PR --- packages/ded/docs/README.md | 9 +++++---- packages/hta/docs/README.md | 15 ++++++++++++++- packages/lmd/docs/README.md | 9 +++++---- packages/pad/docs/README.md | 9 +++++---- 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 57caf345ba8..3df4391b359 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -98,12 +98,13 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. -- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. The new Entity Analytics ML job IDs are: - `ded_high_sent_bytes_destination_geo_country_iso_code_ea` diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index c568e1cb29b..1c500a7cc24 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -14,4 +14,17 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level - Custom data view ID: `.ml-anomalies-shared` _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. - ![Dashboard Error](../img/dashboard-hta-error.png) \ No newline at end of file + ![Dashboard Error](../img/dashboard-hta-error.png) + +## v3.0.0 and beyond + +v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. + +- The new ML jobs include an `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. +- Previously installed `Security: Host` ML jobs will continue to run, allowing time to transition to the new Entity Analytics jobs. +- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- A new dashboard is available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs from before this version, the original dashboard without the suffix remains available. + +The new Entity Analytics ML job IDs for this dashboard are: +- `high_count_events_for_a_host_name_ea` +- `low_count_events_for_a_host_name_ea` \ No newline at end of file diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index a06891cb9c7..78d2797c136 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -165,12 +165,13 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. -- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. The new Entity Analytics ML job IDs are: - `lmd_high_count_remote_file_transfer_ea` diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index fc13f27d1f8..dd83ba73d4b 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -155,12 +155,13 @@ To customize the datafeed query and other settings such as model memory limit, f ## v2.0.0 and beyond -v2.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. +v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs, transforms, and rules will continue to run, giving you time to transition to the new Entity Analytics assets. -- On installation of this version, new ML jobs, transforms, and rules that utilize Entity Analytics will be available. -- We recommend installing the new ML jobs and transforms first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. +- New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. The new Entity Analytics ML job IDs are: - `pad_windows_high_count_special_logon_events_ea` From 217f67bd5104a97ad61c94222c1cd8c162fa8c63 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:21:00 -0500 Subject: [PATCH 15/44] fix ml job/transform fields --- .../pivot_transform_ea/fields/fields.yml | 10 +- .../pivot_transform_ea/transform.yml | 6 + .../pivot_transform_ea/fields/fields.yml | 8 +- .../pivot_transform_ea/transform.yml | 6 + .../fields/fields.yml | 6 +- .../transform.yml | 4 +- .../fields/fields.yml | 8 +- .../transform.yml | 6 + packages/pad/kibana/ml_module/pad-ml.json | 4633 +++++++++-------- 9 files changed, 2370 insertions(+), 2317 deletions(-) diff --git a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index 6a964dca9dd..50e5414aef9 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,9 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name -- name: event.module - type: keyword +- external: ecs + name: user.id +- external: ecs + name: event.module - external: ecs name: event.category - external: ecs @@ -29,4 +33,4 @@ - external: ecs name: destination.geo.region_name - external: ecs - name: destination.geo.city_name + name: destination.geo.city_name \ No newline at end of file diff --git a/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml index 11f8b506a20..319d8504b44 100644 --- a/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml +++ b/packages/ded/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -21,9 +21,15 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'user.name': terms: field: user.name + user.id: + terms: + field: user.id event.module: terms: field: event.module diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml index 9843103d67d..665050391f0 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/fields/fields.yml @@ -1,9 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name -- name: event.module - type: keyword +- external: ecs + name: user.id +- external: ecs + name: event.module - name: process.Ext.authentication_id type: keyword - external: ecs diff --git a/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml index fa3d0eb3b66..1eb0cf4a308 100644 --- a/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml +++ b/packages/lmd/elasticsearch/transform/pivot_transform_ea/transform.yml @@ -56,12 +56,18 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'destination.ip': terms: field: destination.ip 'user.name': terms: field: user.name + user.id: + terms: + field: user.id event.module: terms: field: event.module diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index 20fb116120c..10ed19fe483 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -1,7 +1,7 @@ - external: ecs - name: user.name -- name: event.module - type: keyword + name: user.email +- external: ecs + name: event.module - external: ecs name: source.user.full_name - name: okta_distinct_ips diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml index 5e68b312273..10b8575537d 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml @@ -39,9 +39,9 @@ pivot: term: 'okta.event_type': "user.session.end" group_by: - 'user.name': + 'user.email': terms: - field: user.name + field: user.email event.module: terms: field: event.module diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml index 4fadf9d8d6a..b4d9ac8018f 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml @@ -1,9 +1,13 @@ - external: ecs name: host.name +- external: ecs + name: host.id - external: ecs name: user.name -- name: event.module - type: keyword +- external: ecs + name: user.id +- external: ecs + name: event.module - name: privilege_type type: keyword - external: ecs diff --git a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml index 38a1b0a07f7..f9490fcf66a 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml @@ -37,9 +37,15 @@ pivot: 'host.name': terms: field: host.name + host.id: + terms: + field: host.id 'user.name': terms: field: user.name + user.id: + terms: + field: user.id event.module: terms: field: event.module diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 4fbe43da6f6..59c836d46c7 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2427 +1,2450 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "winlog.event_id" - } + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ] - } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } + }, + { + "exists": { + "field": "winlog.event_id" } - ] - } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } + } + ] } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + } ] } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" + ] } } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_group_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_group_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_device_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_device_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" + } + }, + { + "id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" + } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" + ], + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.name", + "detector_index": 0 + } ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "user.name", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "user.name", - "event.module", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "user.email", + "event.module", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } - }, - { - "id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" + } + }, + { + "id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" + ], + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.email", + "detector_index": 0 + } ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } - ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" - } + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" } } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_ea", + } + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_ea", + "job_id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_logon_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] - } - }, - { - "terms": { - "event.code": [ - "4672", - "4648" - ] - } - } - ], - "must_not": [ + "query": { + "bool": { + "filter": [ { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", - "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } + "host.os.type": [ + "windows", + "Windows" + ] } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_ea", - "job_id": "pad_windows_high_count_group_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } + "event.code": [ + "4672", + "4648" + ] } - ], - "must_not": [ + } + ], + "must_not": [ { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", - "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] } - ] - } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_ea", - "job_id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] } - ], - "must_not": [ + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_ea", - "job_id": "pad_windows_rare_device_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_ea", + "job_id": "pad_windows_high_count_group_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_ea", + "job_id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_ea", + "job_id": "pad_windows_rare_device_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_ea", + "job_id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } + } + ], + "must_not": [ + { + "terms": { + "event.action": [ + "log_on", + "created_process" + ] + } + }, + { + "terms": { + "process.name": [ + "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] } - ], + } + ], "must_not": [ { "terms": { - "event.action": [ - "log_on", - "created_process" + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] - } - }, + } + }, { "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", - "job_id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "event.action": [ - "log_on", - "created_process" + "okta.event_type": [ + "group.user_membership.add", + "group.user_membership.remove" ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } + } + } + ] } } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_ea", - "job_id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ], - "must_not": [ + }, { "terms": { - "event.action": [ - "log_on", - "created_process" + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" ] - } - }, - { - "terms": { - "process.name": - [ "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] - } } - ] - } + } + ] } } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" - ] - } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } - } - } - }, + }, { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] - } + "terms": { + "okta.event_type": [ + "group.privilege.grant", + "group.privilege.revoke" + ] } - ] - } + } + ] } } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "terms": { + "okta.event_type": [ + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", + } + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "user.name" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 - } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "user.email" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 + } + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 } - ] + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } } - } + ] + } } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", + } + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_ea", + } + }, + { + "id": "datafeed-pad_okta_rare_region_name_by_user_ea", + "job_id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + } + }, + { + "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + "job_id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], "job_id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove"] - } + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" } - ] - } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove" + ] + } + } + ] } } } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + } + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file From 6544e7a8b2694c1208ec174efb0a0cbf66d41d76 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:57:29 -0500 Subject: [PATCH 16/44] fix PAD ML job formatting --- packages/pad/kibana/ml_module/pad-ml.json | 4635 ++++++++++----------- 1 file changed, 2306 insertions(+), 2329 deletions(-) diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 59c836d46c7..d8246ca4a93 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -1,2450 +1,2427 @@ { - "attributes": { - "id": "pad-ml", - "title": "Privileged Access Detection", - "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", - "type": "pad", - "logo": { - "icon": "machineLearningApp" - }, - "query": { - "bool": { - "should": [ - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] + "attributes": { + "id": "pad-ml", + "title": "Privileged Access Detection", + "description": "Detects anomalous privileged access activity in the Windows, Linux and Okta logs.", + "type": "pad", + "logo": { + "icon": "machineLearningApp" + }, + "query": { + "bool": { + "should": [ + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "winlog.event_id" + } } - }, - { - "exists": { - "field": "winlog.event_id" + ] + } + }, + { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } } - } - ] + ] + } + }, + { + "exists": { + "field": "privilege_type" + } + }, + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } } - }, - { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - } + ], + "must_not": { + "terms": { + "_tier": [ + "data_frozen", + "data_cold" ] } - }, - { - "exists": { - "field": "privilege_type" - } - }, - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - } - ], - "must_not": { - "terms": { - "_tier": [ - "data_frozen", - "data_cold" - ] } } - } - }, - "jobs": [ - { - "id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special logon events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special logon events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + "jobs": [ + { + "id": "pad_windows_high_count_special_logon_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "winlog.event_data.TargetUserName", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high special logon events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special logon events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "winlog.event_data.TargetUserName", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high special privilege use events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of special privilege use events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.PrivilegeList", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high special privilege use events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of special privilege use events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.PrivilegeList", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_group_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security group management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security group management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_group_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "group.name", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high security group management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security group management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "group.name", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects unusually high security user account management events initiated by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of security user account management events", - "function": "high_non_zero_count", - "by_field_name": "event.action", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "winlog.event_data.SubjectUserName", - "winlog.event_data.TargetUserName" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects unusually high security user account management events initiated by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of security user account management events", + "function": "high_non_zero_count", + "by_field_name": "event.action", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.TargetUserName" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual privilege type assigned to a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare privilege type by user name", - "function": "rare", - "by_field_name": "privilege_type", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "privilege_type", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual privilege type assigned to a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare privilege type by user name", + "function": "rare", + "by_field_name": "privilege_type", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "privilege_type", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual group name accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare group name by user name", - "function": "rare", - "by_field_name": "group.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.TargetUserName", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual group name accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare group name by user name", + "function": "rare", + "by_field_name": "group.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.TargetUserName", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_device_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual device accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare device name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_device_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "group.name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual device accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare device name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "group.name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source IP by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.ip", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source IP by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.ip", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "windows" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user", - "function": "rare", - "by_field_name": "source.geo.region_name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "windows" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "source.geo.city_name", - "source.geo.country_name", - "winlog.event_data.PrivilegeList", - "event.action" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user", + "function": "rare", + "by_field_name": "source.geo.region_name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "source.geo.city_name", + "source.geo.country_name", + "winlog.event_data.PrivilegeList", + "event.action" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a spike in privileged commands executed by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of privileged processes by user name", - "function": "high_non_zero_count", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects a spike in privileged commands executed by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of privileged processes by user name", + "function": "high_non_zero_count", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects a rare process executed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare process by user name", - "function": "rare", - "by_field_name": "process.name", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects a rare process executed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare process by user name", + "function": "rare", + "by_field_name": "process.name", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "linux" - ], - "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", - "analysis_config": { - "bucket_span": "30m", - "detectors": [ - { - "detector_description": "High median of process argument count by user name", - "function": "high_median", - "field_name": "process.command_line_entropy", - "partition_field_name": "user.name", - "detector_index": 0 - } + }, + { + "id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "linux" ], - "influencers": [ - "host.name", - "host.id", - "user.name", - "event.module", - "user.id", - "process.command_line" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects process command lines executed by a user with an abnormally high median entropy value. This job requires some manual setup before it can run successfully, specifically adding custom field mappings for data coming from an ingest pipeline. Instructions for these steps are available in the package overview.", + "analysis_config": { + "bucket_span": "30m", + "detectors": [ + { + "detector_description": "High median of process argument count by user name", + "function": "high_median", + "field_name": "process.command_line_entropy", + "partition_field_name": "user.name", + "detector_index": 0 + } + ], + "influencers": [ + "host.name", + "host.id", + "user.name", + "event.module", + "user.id", + "process.command_line" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group membership change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group membership okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.email", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group membership change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group membership okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in user lifecycle management change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of user lifecycle management okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.email", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in user lifecycle management change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of user lifecycle management okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group privilege change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group privilege okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.email", - "event.module", - "source.user.full_name", - "user.target.full_name", - "user.target.group.name", - "okta.debug_context.debug_data.privilegeGranted", - "okta.debug_context.debug_data.privilegeRevoked" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group privilege change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group privilege okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.full_name", + "user.target.group.name", + "okta.debug_context.debug_data.privilegeGranted", + "okta.debug_context.debug_data.privilegeRevoked" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group application assignment change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group application assignment okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.email", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group application assignment change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group application assignment okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects spike in group lifecycle change events by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High count of group lifecycle okta events by user name", - "function": "high_non_zero_count", - "by_field_name": "okta.event_type", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "user.email", - "event.module", - "source.user.full_name", - "user.target.group.name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects spike in group lifecycle change events by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High count of group lifecycle okta events by user name", + "function": "high_non_zero_count", + "by_field_name": "okta.event_type", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "user.email", + "event.module", + "source.user.full_name", + "user.target.group.name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual sum of active sessions started by a user.", - "analysis_config": { - "bucket_span": "3h", - "detectors": [ - { - "detector_description": "High sum of distinct source ips by user name", - "function": "high_sum", - "field_name": "okta_distinct_ips", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "user.email", - "event.module", - "agent.name", - "source.user.full_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual sum of active sessions started by a user.", + "analysis_config": { + "bucket_span": "3h", + "detectors": [ + { + "detector_description": "High sum of distinct source ips by user name", + "function": "high_sum", + "field_name": "okta_distinct_ips", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "user.email", + "event.module", + "agent.name", + "source.user.full_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual source IP address accessed by a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare source ip by user name", - "function": "rare", - "by_field_name": "source.ip", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_source_ip_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual source IP address accessed by a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare source ip by user name", + "function": "rare", + "by_field_name": "source.ip", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual region name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare region name by user name", - "function": "rare", - "by_field_name": "client.geo.region_name", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type", - "client.geo.country_name" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual region name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare region name by user name", + "function": "rare", + "by_field_name": "client.geo.region_name", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type", + "client.geo.country_name" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } - } - }, - { - "id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "groups": [ - "security", - "pad", - "okta" - ], - "description": "Detects an unusual host name for a user.", - "analysis_config": { - "bucket_span": "1h", - "detectors": [ - { - "detector_description": "Rare host name by user name", - "function": "rare", - "by_field_name": "host.name", - "partition_field_name": "user.email", - "detector_index": 0 - } + }, + { + "id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "groups": [ + "security", + "pad", + "okta" ], - "influencers": [ - "agent.name", - "source.user.full_name", - "user.target.group.name", - "okta.event_type" - ] - }, - "data_description": { - "time_field": "@timestamp", - "time_format": "epoch_ms" - }, - "custom_settings": { - "created_by": "ml-module-pad" + "description": "Detects an unusual host name for a user.", + "analysis_config": { + "bucket_span": "1h", + "detectors": [ + { + "detector_description": "Rare host name by user name", + "function": "rare", + "by_field_name": "host.name", + "partition_field_name": "user.email", + "detector_index": 0 + } + ], + "influencers": [ + "agent.name", + "source.user.full_name", + "user.target.group.name", + "okta.event_type" + ] + }, + "data_description": { + "time_field": "@timestamp", + "time_format": "epoch_ms" + }, + "custom_settings": { + "created_by": "ml-module-pad" + } } } - } - ], - "datafeeds": [ - { - "id": "datafeed-pad_windows_high_count_special_logon_events_ea", - "job_id": "pad_windows_high_count_special_logon_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + ], + "datafeeds": [ + { + "id": "datafeed-pad_windows_high_count_special_logon_events_ea", "job_id": "pad_windows_high_count_special_logon_events_ea", - "query": { - "bool": { - "filter": [ + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_logon_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "logged-in-special", + "logged-in-explicit" + ] + } + }, + { + "terms": { + "event.code": [ + "4672", + "4648" + ] + } + } + ], + "must_not": [ { "terms": { - "host.os.type": [ - "windows", - "Windows" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_special_privilege_use_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "privileged-operation", + "privileged-service-called" + ] + } + }, + { + "terms": { + "event.code": [ + "4673", + "4674" + ] + } } - }, + ], + "must_not": [ { "terms": { - "event.action": [ - "logged-in-special", - "logged-in-explicit" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_group_management_events_ea", + "job_id": "pad_windows_high_count_group_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_group_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } } - }, + ], + "must_not": [ { "terms": { - "event.code": [ - "4672", - "4648" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_high_count_user_account_management_events_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "enabled-user-account", + "added-user-account", + "deleted-user-account", + "disabled-user-account" + ] + } + }, + { + "terms": { + "event.code": [ + "4722", + "4720", + "4726", + "4725" + ] + } } - } - ], - "must_not": [ + ], + "must_not": [ { "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "privilege_type" + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_windows_high_count_special_privilege_use_events_ea", - "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_special_privilege_use_events_ea", - "query": { - "bool": { - "filter": [ + }, + { + "id": "datafeed-pad_windows_rare_group_name_by_user_ea", + "job_id": "pad_windows_rare_group_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_group_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "terms": { + "event.action": [ + "added-member-to-group", + "removed-member-from-group" + ] + } + }, + { + "terms": { + "event.code": [ + "4732", + "4728", + "4756", + "4733", + "4729" + ] + } + } + ], + "must_not": [ { "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "privileged-operation", - "privileged-service-called" - ] - } - }, - { - "terms": { - "event.code": [ - "4673", - "4674" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_group_management_events_ea", - "job_id": "pad_windows_high_count_group_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_group_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_high_count_user_account_management_events_ea", - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_high_count_user_account_management_events_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "enabled-user-account", - "added-user-account", - "deleted-user-account", - "disabled-user-account" - ] - } - }, - { - "terms": { - "event.code": [ - "4722", - "4720", - "4726", - "4725" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_privilege_assigned_to_user_ea", - "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_privilege_assigned_to_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "privilege_type" - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_group_name_by_user_ea", - "job_id": "pad_windows_rare_group_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_group_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "terms": { - "event.action": [ - "added-member-to-group", - "removed-member-from-group" - ] - } - }, - { - "terms": { - "event.code": [ - "4732", - "4728", - "4756", - "4733", - "4729" - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_device_by_user_ea", - "job_id": "pad_windows_rare_device_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_device_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "host.name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", - "job_id": "pad_windows_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_windows_rare_region_name_by_user_ea", - "job_id": "pad_windows_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_windows_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "terms": { - "host.os.type": [ - "windows", - "Windows" - ] - } - }, - { - "exists": { - "field": "source.geo.region_name" - } - }, - { - "exists": { - "field": "user.name" - } - }, - { - "terms": { - "event.code": [ - "4720", - "4726", - "4722", - "4756", - "4672", - "4673", - "4674", - "4720", - "4728", - "4732", - "4756", - "624", - "632", - "636", - "660", - "4725", - "4723", - "4648", - "4688", - "4729", - "4733", - "4757", - "637", - "661" - ] - } - } - ], - "must_not": [ - { - "terms": { - "event.action": [ - "log_on", - "created_process" - ] - } - }, - { - "terms": { - "process.name": [ - "elastic-agent.exe", - "elastic-agent", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", - "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_rare_process_executed_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] - } - } - ], - "must_not": [ - { - "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" - ] - } - }, - { - "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] - } - } - } - }, - { - "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", - "query": { - "bool": { - "must": [ - { - "terms": { - "host.os.type": [ - "linux", - "Linux" - ] - } - }, - { - "term": { - "event.category": "process" - } - }, - { - "terms": { - "event.type": [ - "start", - "change" - ] - } - }, - { - "bool": { - "should": [ - { - "match_phrase": { - "process.command_line.text": "LD_PRELOAD" - } - }, - { - "match_phrase": { - "process.command_line.text": "/etc/ld.so.preload" - } - }, - { - "match_phrase": { - "process.command_line.text": "/root/.ssh/authorized_keys" - } - }, - { - "match_phrase": { - "process.command_line.text": "timestamp_timeout=-1" - } - }, - { - "match_phrase": { - "process.command_line.text": "!tty_tickets" - } - }, - { - "match_phrase": { - "process.command_line.text": "var/spool/cron" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl daemon-reload" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw mod user" - } - }, - { - "match_phrase": { - "process.command_line.text": "pw unlock" - } - }, - { - "match_phrase": { - "process.command_line.text": "chmod u+s" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo setcap cap_setuid" - } - }, - { - "match_phrase": { - "process.command_line.text": "su nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo nobody" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo */root/" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*etc/sudoers" - } - }, - { - "match_phrase": { - "process.command_line.text": "sudo*visudo" - } - }, - { - "match_phrase": { - "process.command_line.text": "etc/cron.*/" - } - }, - { - "match_phrase": { - "process.command_line.text": "trap*SIGINT" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*2000" - } - }, - { - "match_phrase": { - "process.command_line.text": "find*-perm*4000" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl start*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "systemctl enable*.service" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bashrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.shrc" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/profile" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/.bash_logout" - } - }, - { - "match_phrase": { - "process.command_line.text": "echo*/etc/rc." - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_windows_rare_device_by_user_ea", + "job_id": "pad_windows_rare_device_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_device_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "host.name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - } - ], + ], "must_not": [ { "terms": { - "process.name": [ - "elastic-agent", - "elasticsearch-users", - "elastic-agent.exe", - "metricbeat.exe", - "metricbeat", - "filebeat.exe", - "filebeat", - "packetbeat.exe", - "packetbeat", - "winlogbeat.exe", - "winlogbeat" + "event.action": [ + "log_on", + "created_process" ] - } - }, + } + }, { "terms": { - "process.command_line.text": [ - "elastic-agent", - "elasticsearch" - ] - } - } - ] + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_membership_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" + }, + { + "id": "datafeed-pad_windows_rare_source_ip_by_user_ea", + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - }, + ], + "must_not": [ { "terms": { - "okta.event_type": [ - "group.user_membership.add", - "group.user_membership.remove" + "event.action": [ + "log_on", + "created_process" ] - } - } - ] + } + }, + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" + }, + { + "id": "datafeed-pad_windows_rare_region_name_by_user_ea", + "job_id": "pad_windows_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_windows_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "terms": { + "host.os.type": [ + "windows", + "Windows" + ] + } + }, + { + "exists": { + "field": "source.geo.region_name" + } + }, + { + "exists": { + "field": "user.name" + } + }, + { + "terms": { + "event.code": [ + "4720", + "4726", + "4722", + "4756", + "4672", + "4673", + "4674", + "4720", + "4728", + "4732", + "4756", + "624", + "632", + "636", + "660", + "4725", + "4723", + "4648", + "4688", + "4729", + "4733", + "4757", + "637", + "661" + ] + } } - }, + ], + "must_not": [ { "terms": { - "okta.event_type": [ - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update" + "event.action": [ + "log_on", + "created_process" ] - } - } - ] + } + }, + { + "terms": { + "process.name": + [ "elastic-agent.exe", + "elastic-agent", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" ] + } + } + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_privilege_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" + }, + { + "id": "datafeed-pad_linux_high_count_privileged_process_events_by_user_ea", + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_count_privileged_process_events_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_rare_process_executed_by_user_ea", + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_rare_process_executed_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_linux_high_median_process_command_line_entropy_by_user_ea", + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_linux_high_median_process_command_line_entropy_by_user_ea", + "query": { + "bool": { + "must": [ + { + "terms": { + "host.os.type": [ + "linux", + "Linux" + ] + } + }, + { + "term": { + "event.category": "process" + } + }, + { + "terms": { + "event.type": [ + "start", + "change" + ] + } + }, + { + "bool": { + "should": [ + { + "match_phrase": { + "process.command_line.text": "LD_PRELOAD" + } + }, + { + "match_phrase": { + "process.command_line.text": "/etc/ld.so.preload" + } + }, + { + "match_phrase": { + "process.command_line.text": "/root/.ssh/authorized_keys" + } + }, + { + "match_phrase": { + "process.command_line.text": "timestamp_timeout=-1" + } + }, + { + "match_phrase": { + "process.command_line.text": "!tty_tickets" + } + }, + { + "match_phrase": { + "process.command_line.text": "var/spool/cron" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl daemon-reload" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw mod user" + } + }, + { + "match_phrase": { + "process.command_line.text": "pw unlock" + } + }, + { + "match_phrase": { + "process.command_line.text": "chmod u+s" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo setcap cap_setuid" + } + }, + { + "match_phrase": { + "process.command_line.text": "su nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo nobody" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo */root/" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*etc/sudoers" + } + }, + { + "match_phrase": { + "process.command_line.text": "sudo*visudo" + } + }, + { + "match_phrase": { + "process.command_line.text": "etc/cron.*/" + } + }, + { + "match_phrase": { + "process.command_line.text": "trap*SIGINT" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*2000" + } + }, + { + "match_phrase": { + "process.command_line.text": "find*-perm*4000" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl start*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "systemctl enable*.service" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bashrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.shrc" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/profile" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/.bash_logout" + } + }, + { + "match_phrase": { + "process.command_line.text": "echo*/etc/rc." + } + } + ] + } + } + ], + "must_not": [ + { + "terms": { + "process.name": [ + "elastic-agent", + "elasticsearch-users", + "elastic-agent.exe", + "metricbeat.exe", + "metricbeat", + "filebeat.exe", + "filebeat", + "packetbeat.exe", + "packetbeat", + "winlogbeat.exe", + "winlogbeat" + ] + } + }, + { + "terms": { + "process.command_line.text": [ + "elastic-agent", + "elasticsearch" + ] + } + } + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_group_membership_changes_ea", + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_membership_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.user_membership.add", "group.user_membership.remove"] + } } - }, - { - "terms": { - "okta.event_type": [ - "group.privilege.grant", - "group.privilege.revoke" - ] + ] + } + } + } + }, + { + "id": "datafeed-pad_okta_spike_in_user_lifecycle_management_changes_ea", + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_user_lifecycle_management_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": [ + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update" + ] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", - "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", - "query": { - "bool": { - "filter": [ + }, { - "term": { - "data_stream.dataset": "okta.system" + "id": "datafeed-pad_okta_spike_in_group_privilege_changes_ea", + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_privilege_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.privilege.grant", "group.privilege.revoke"] + } } - }, + ] + } + } + } + }, { - "terms": { - "okta.event_type": [ - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "id": "datafeed-pad_okta_spike_in_group_application_assignment_changes_ea", + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_application_assignment_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.application_assignment.add", "group.application_assignment.remove"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", - "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_okta_spike_in_group_lifecycle_changes_ea", "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_spike_in_group_lifecycle_changes_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "terms": { + "okta.event_type": ["group.lifecycle.create", "group.lifecycle.delete"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", - "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_okta_high_sum_concurrent_sessions_by_user_ea", "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "exists": { - "field": "user.email" - } - }, - { - "exists": { - "field": "okta_distinct_ips" - } - }, - { - "range": { - "okta_distinct_ips": { - "gte": 2 - } - } - }, - { - "range": { - "okta_distinct_countries": { - "gte": 2 + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_high_sum_concurrent_sessions_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "exists": { + "field": "user.email" + } + }, + { + "exists": { + "field": "okta_distinct_ips" + } + }, + { + "range": { + "okta_distinct_ips": { + "gte": 2 + } + } + }, + { + "range": { + "okta_distinct_countries": { + "gte": 2 + } + } + }, + { + "term": { + "okta_session_info.has_end_event": 0 + } } - } - }, - { - "term": { - "okta_session_info.has_end_event": 0 - } + ] } - ] - } + } } - } - }, - { - "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", - "job_id": "pad_okta_rare_source_ip_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], + }, + { + "id": "datafeed-pad_okta_rare_source_ip_by_user_ea", "job_id": "pad_okta_rare_source_ip_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "source.ip" - } - }, - { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_source_ip_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "source.ip" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_rare_region_name_by_user_ea", - "job_id": "pad_okta_rare_region_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_region_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "client.geo.region_name" - } - }, + }, { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "id": "datafeed-pad_okta_rare_region_name_by_user_ea", + "job_id": "pad_okta_rare_region_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_region_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "client.geo.region_name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } } - } - ] + ] + } } } - } - }, - { - "id": "datafeed-pad_okta_rare_host_name_by_user_ea", - "job_id": "pad_okta_rare_host_name_by_user_ea", - "config": { - "indices": [ - "INDEX_PATTERN_NAME" - ], - "job_id": "pad_okta_rare_host_name_by_user_ea", - "query": { - "bool": { - "filter": [ - { - "term": { - "data_stream.dataset": "okta.system" - } - }, - { - "exists": { - "field": "agent.name" - } - }, + }, { - "terms": { - "okta.event_type": [ - "group.lifecycle.create", - "group.lifecycle.delete", - "group.user_membership.add", - "group.user_membership.remove", - "user.lifecycle.activate", - "user.lifecycle.deactivate", - "user.lifecycle.suspend", - "user.lifecycle.unsuspend", - "user.lifecycle.create", - "user.lifecycle.update", - "group.privilege.grant", - "group.privilege.revoke", - "group.application_assignment.add", - "group.application_assignment.remove" - ] + "id": "datafeed-pad_okta_rare_host_name_by_user_ea", + "job_id": "pad_okta_rare_host_name_by_user_ea", + "config": { + "indices": [ + "INDEX_PATTERN_NAME" + ], + "job_id": "pad_okta_rare_host_name_by_user_ea", + "query": { + "bool": { + "filter": [ + { + "term": { + "data_stream.dataset": "okta.system" + } + }, + { + "exists": { + "field": "agent.name" + } + }, + { + "terms": { + "okta.event_type": [ + "group.lifecycle.create", + "group.lifecycle.delete", + "group.user_membership.add", + "group.user_membership.remove", + "user.lifecycle.activate", + "user.lifecycle.deactivate", + "user.lifecycle.suspend", + "user.lifecycle.unsuspend", + "user.lifecycle.create", + "user.lifecycle.update", + "group.privilege.grant", + "group.privilege.revoke", + "group.application_assignment.add", + "group.application_assignment.remove"] + } } - } - ] + ] + } } } } - } - ] - }, - "id": "pad-ml", - "migrationVersion": { - "search": "7.16.0" - }, - "references": [], - "type": "ml-module" + ] + }, + "id": "pad-ml", + "migrationVersion": { + "search": "7.16.0" + }, + "references": [], + "type": "ml-module" } \ No newline at end of file From e3b18341f5d1823bd39be1fab02e1f98a3eb414a Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:03:40 -0500 Subject: [PATCH 17/44] Update changelog links, fix HTA version --- packages/ded/changelog.yml | 2 +- packages/dga/changelog.yml | 2 +- packages/hta/changelog.yml | 7 +------ packages/hta/manifest.yml | 2 +- packages/lmd/changelog.yml | 2 +- packages/pad/changelog.yml | 2 +- packages/problemchild/changelog.yml | 2 +- 7 files changed, 7 insertions(+), 12 deletions(-) diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index e101485743e..7d19c278cf4 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -2,7 +2,7 @@ changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index e34aef18713..7da33270203 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "2.3.5" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index a959d2fd7d5..48dcc9b76cb 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,13 +1,8 @@ -- version: "3.0.0" - changes: - - description: Introduce Entity Analytics - type: enhancement - link: https://github.com/elastic/integrations/pull/99999 - version: "2.0.0" changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "1.0.1" changes: - description: Update documentation on configuring data view for dashboards diff --git a/packages/hta/manifest.yml b/packages/hta/manifest.yml index b88cad4547f..ef32d368994 100644 --- a/packages/hta/manifest.yml +++ b/packages/hta/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: hta title: "Host Traffic Anomalies" -version: 3.0.0 +version: 2.0.0 source: license: "Elastic-2.0" description: "Prebuilt dashboard for Machine Learning module Security: Host." diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index 073e0740dad..b24bca105c4 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -2,7 +2,7 @@ changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "2.6.2" changes: - description: Update package docs with prerequisite steps for host.* fields diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index 494909633c5..76b627efb08 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -2,7 +2,7 @@ changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "1.1.1" changes: - description: Update package docs with customization steps for ML jobs and transforms diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index 559b188036c..a280f471920 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Introduce Entity Analytics type: enhancement - link: https://github.com/elastic/integrations/pull/99999 + link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.5" changes: - description: Update package docs with customization steps for ML jobs and transforms From 05d74108e61ac861b72a0b16df770b72f36fed94 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:06:52 -0500 Subject: [PATCH 18/44] fix version in readme --- packages/hta/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 1c500a7cc24..5a0b7885f4c 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -16,7 +16,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. ![Dashboard Error](../img/dashboard-hta-error.png) -## v3.0.0 and beyond +## v2.0.0 and beyond v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. From e606be967ed4e21869ff7bd9ee57002aaf70de07 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:07:19 -0500 Subject: [PATCH 19/44] fix version in readme --- packages/hta/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 5a0b7885f4c..7eac1e6ea32 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -18,7 +18,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level ## v2.0.0 and beyond -v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. - The new ML jobs include an `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. - Previously installed `Security: Host` ML jobs will continue to run, allowing time to transition to the new Entity Analytics jobs. From ca76ededa7e30bc0715ec2fc05195b12329317d8 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:20:32 -0500 Subject: [PATCH 20/44] Update packages/lmd/docs/README.md Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com> --- packages/lmd/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 78d2797c136..e5eb0a395d9 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -141,7 +141,7 @@ Detects potential lateral movement activity by identifying malicious file transf | lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | Windows | | lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | Windows | | lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | Windows | -| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an usual time or weekday. | Windows | +| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an unusual time or weekday. | Windows | | lmd_high_rdp_distinct_count_source_ip_for_destination_ea | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | | lmd_high_rdp_distinct_count_destination_ip_for_source_ea | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | | lmd_high_mean_rdp_process_args_ea | Detects unusually high number of process arguments in an RDP session. | Windows | From 6967f08400065507262a1d50561fda25ed3eda94 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 11:24:48 -0500 Subject: [PATCH 21/44] add `host.name` for Okta ML transforms/influencers. fix datafeed for `pad_okta_rare_host_name_by_user_ea` --- .../fields/fields.yml | 2 ++ .../pivot_transform_okta_sessions_ea/transform.yml | 3 +++ packages/pad/kibana/ml_module/pad-ml.json | 11 ++++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index 10ed19fe483..3dc31df16dd 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -12,5 +12,7 @@ type: long - external: ecs name: agent.name +- external: ecs + name: host.name - external: ecs name: '@timestamp' diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml index 10b8575537d..dc6d5985d84 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml @@ -45,6 +45,9 @@ pivot: event.module: terms: field: event.module + 'host.name': + terms: + field: host.name 'agent.name': terms: field: agent.name diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index d8246ca4a93..2d28f979693 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -570,6 +570,7 @@ } ], "influencers": [ + "host.name", "agent.name", "user.email", "event.module", @@ -608,6 +609,7 @@ } ], "influencers": [ + "host.name", "agent.name", "user.email", "event.module", @@ -646,6 +648,7 @@ } ], "influencers": [ + "host.name", "agent.name", "user.email", "event.module", @@ -686,6 +689,7 @@ } ], "influencers": [ + "host.name", "agent.name", "user.email", "event.module", @@ -723,6 +727,7 @@ } ], "influencers": [ + "host.name", "agent.name", "user.email", "event.module", @@ -762,6 +767,7 @@ "influencers": [ "user.email", "event.module", + "host.name", "agent.name", "source.user.full_name" ] @@ -796,6 +802,7 @@ } ], "influencers": [ + "host.name", "agent.name", "source.user.full_name", "user.target.group.name", @@ -832,6 +839,7 @@ } ], "influencers": [ + "host.name", "agent.name", "source.user.full_name", "user.target.group.name", @@ -869,6 +877,7 @@ } ], "influencers": [ + "host.name", "agent.name", "source.user.full_name", "user.target.group.name", @@ -2389,7 +2398,7 @@ }, { "exists": { - "field": "agent.name" + "field": "host.name" } }, { From 34d07b0ec508de11feccfd4f9bdac4e3e68fa7a5 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:48:56 -0500 Subject: [PATCH 22/44] documentation consistency fix --- packages/dga/docs/README.md | 8 ++++---- packages/problemchild/docs/README.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index 6f630826fae..fadb0c2ca26 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -107,11 +107,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new Entity Analytics assets. -- On installation of this version, new ML jobs and rules that utilize Entity Analytics will be available. -- We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. +- Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. The new Entity Analytics ML job IDs are: - `dga_high_sum_probability_ea` diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index cf37066ff27..51dbab26fd9 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -156,11 +156,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces Entity Analytics support for Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. -- Previously installed versions of ML jobs and rules will continue to run, giving you time to transition to the new Entity Analytics assets. -- On installation of this version, new ML jobs and rules that utilize Entity Analytics will be available. -- We recommend installing the new ML jobs first and check they are properly installed, gathering data and generating anomalies before updating to the latest version of the detection rules provided in 9.4. +- The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. +- Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. +- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. The new Entity Analytics ML job IDs are: - `problem_child_rare_process_by_host_ea` From 87b8007a2351d280a257baf0245c9c29b563178e Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 13:15:46 -0500 Subject: [PATCH 23/44] add more verbose descriptions to changelog --- packages/ded/changelog.yml | 2 +- packages/dga/changelog.yml | 2 +- packages/hta/changelog.yml | 2 +- packages/lmd/changelog.yml | 2 +- packages/pad/changelog.yml | 2 +- packages/problemchild/changelog.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/ded/changelog.yml b/packages/ded/changelog.yml index 7d19c278cf4..11cdeeba137 100644 --- a/packages/ded/changelog.yml +++ b/packages/ded/changelog.yml @@ -1,6 +1,6 @@ - version: "3.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.1" diff --git a/packages/dga/changelog.yml b/packages/dga/changelog.yml index 7da33270203..514485ec22f 100644 --- a/packages/dga/changelog.yml +++ b/packages/dga/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes a new ML job. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "2.3.5" diff --git a/packages/hta/changelog.yml b/packages/hta/changelog.yml index 48dcc9b76cb..9c4fc763a09 100644 --- a/packages/hta/changelog.yml +++ b/packages/hta/changelog.yml @@ -1,6 +1,6 @@ - version: "2.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs and a dashboard. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "1.0.1" diff --git a/packages/lmd/changelog.yml b/packages/lmd/changelog.yml index b24bca105c4..d07dfb01ed6 100644 --- a/packages/lmd/changelog.yml +++ b/packages/lmd/changelog.yml @@ -1,6 +1,6 @@ - version: "3.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "2.6.2" diff --git a/packages/pad/changelog.yml b/packages/pad/changelog.yml index 76b627efb08..de302f9bdea 100644 --- a/packages/pad/changelog.yml +++ b/packages/pad/changelog.yml @@ -1,6 +1,6 @@ - version: "2.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs, transforms, and dashboards. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "1.1.1" diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index a280f471920..0fe19017c59 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "3.0.0" changes: - - description: Introduce Entity Analytics + - description: Adds new fields for entity resolution with Entity Analytics in Elastic Stack 9.4. Includes new ML jobs. type: enhancement link: https://github.com/elastic/integrations/pull/17626 - version: "2.4.5" From 8804e56314c7ff18ce397647d242ea8aa117fb41 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 12 Mar 2026 13:32:39 -0500 Subject: [PATCH 24/44] fix index pattern in dashboard docs --- packages/ded/docs/README.md | 2 +- packages/hta/docs/README.md | 2 +- packages/lmd/docs/README.md | 2 +- packages/pad/docs/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 3df4391b359..0be985c9647 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -25,7 +25,7 @@ For more detailed information refer to the following blog: 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 7eac1e6ea32..f954515df0f 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -9,7 +9,7 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index e5eb0a395d9..9059cb6862b 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -34,7 +34,7 @@ If you are running version 8.18+, the Defend integration only collects a [subset 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index dd83ba73d4b..29729c51592 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -76,7 +76,7 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and 1. You have **read** access to `.ml-anomalies-shared` index or are assigned the `machine_learning_user` role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Be mindful of granting permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges, refer to [setup-privileges](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges). 1. After enabling the jobs, go to **Management > Stack Management > Kibana > Data Views**. Click on **Create data view** with the following settings: - Name: `.ml-anomalies-shared` - - Index pattern : `.ml-anomalies-shared` + - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` From c669892ac95b46e468878531bac55ea318fe778f Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:34:48 -0500 Subject: [PATCH 25/44] change Okta ML job parition fields to `user.name`, add `user.name` as top level group by in Okta transform --- .../transform.yml | 3 ++ packages/pad/kibana/ml_module/pad-ml.json | 32 +++++++++++++------ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml index dc6d5985d84..14ce72db8fc 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/transform.yml @@ -39,6 +39,9 @@ pivot: term: 'okta.event_type': "user.session.end" group_by: + 'user.name': + terms: + field: user.name 'user.email': terms: field: user.email diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 2d28f979693..f46781b8a5e 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -565,13 +565,14 @@ "detector_description": "High count of group membership okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", "user.email", "event.module", "source.user.full_name", @@ -604,13 +605,14 @@ "detector_description": "High count of user lifecycle management okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", "user.email", "event.module", "source.user.full_name", @@ -643,13 +645,14 @@ "detector_description": "High count of group privilege okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", "user.email", "event.module", "source.user.full_name", @@ -684,13 +687,14 @@ "detector_description": "High count of group application assignment okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", "user.email", "event.module", "source.user.full_name", @@ -722,13 +726,14 @@ "detector_description": "High count of group lifecycle okta events by user name", "function": "high_non_zero_count", "by_field_name": "okta.event_type", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", "user.email", "event.module", "source.user.full_name", @@ -760,11 +765,12 @@ "detector_description": "High sum of distinct source ips by user name", "function": "high_sum", "field_name": "okta_distinct_ips", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ + "user.name", "user.email", "event.module", "host.name", @@ -797,13 +803,15 @@ "detector_description": "Rare source ip by user name", "function": "rare", "by_field_name": "source.ip", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", + "user.email", "source.user.full_name", "user.target.group.name", "okta.event_type" @@ -834,13 +842,15 @@ "detector_description": "Rare region name by user name", "function": "rare", "by_field_name": "client.geo.region_name", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", + "user.email", "source.user.full_name", "user.target.group.name", "okta.event_type", @@ -872,13 +882,15 @@ "detector_description": "Rare host name by user name", "function": "rare", "by_field_name": "host.name", - "partition_field_name": "user.email", + "partition_field_name": "user.name", "detector_index": 0 } ], "influencers": [ "host.name", "agent.name", + "user.name", + "user.email", "source.user.full_name", "user.target.group.name", "okta.event_type" @@ -2258,7 +2270,7 @@ "filter": [ { "exists": { - "field": "user.email" + "field": "user.name" } }, { From fbe77bdb3ffbc6cc124291ffc8442b8ece7c402e Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Wed, 18 Mar 2026 15:17:04 -0500 Subject: [PATCH 26/44] add `user.name` to okta pivot transfrorm mappings --- .../pivot_transform_okta_sessions_ea/fields/fields.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml index 3dc31df16dd..b55ab249b6e 100644 --- a/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml +++ b/packages/pad/elasticsearch/transform/pivot_transform_okta_sessions_ea/fields/fields.yml @@ -1,3 +1,5 @@ +- external: ecs + name: user.name - external: ecs name: user.email - external: ecs From 871b1cfab0a6190e0424088b86d66bc46310757a Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 19 Mar 2026 09:10:51 -0500 Subject: [PATCH 27/44] change `on_failure` processor to set as `event.kind` is not an array --- .../ingest_pipeline/problem_child_inference_pipeline.yml | 2 +- .../ingest_pipeline/problem_child_ingest_pipeline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml index 4ec4ba8a1dc..dfb7baa713b 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml @@ -394,7 +394,7 @@ processors: lang: painless source: ctx.entrySet().removeIf(field -> field.getKey() =~ /feature_.*/);ctx['problemchild'].remove('prediction_score');ctx['problemchild'].remove('model_id'); on_failure: - - append: + - set: field: event.kind value: pipeline_error - append: diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml index 8aafe21a93d..e5d59f9c221 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml @@ -5,7 +5,7 @@ processors: if: ctx.event?.kind == 'event' && ctx.event?.category?.contains('process') && (ctx.host?.os?.type?.toLowerCase() == 'windows' || ctx.host?.os?.family?.toLowerCase() == 'windows' || ctx.host?.os?.platform?.toLowerCase() == 'windows') name: '{{ IngestPipeline "problem_child_inference_pipeline" }}' on_failure: - - append: + - set: field: event.kind value: pipeline_error - append: From c196362f1a78e379b9df0c9dba1c83c39891925f Mon Sep 17 00:00:00 2001 From: Fabrizio Ferri Benedetti Date: Wed, 25 Mar 2026 16:10:41 +0100 Subject: [PATCH 28/44] Fix broken anchor links in detection docs Convert bold list items to headings so #enable-detection-rules and #enabling-detection-rules anchors resolve in docs-builder. Affects: ded, dga, lmd, problemchild Co-Authored-By: Claude Opus 4.6 (1M context) --- packages/ded/docs/README.md | 5 ++++- packages/dga/docs/README.md | 4 +++- packages/lmd/docs/README.md | 18 +++++++++++------- packages/problemchild/docs/README.md | 4 +++- 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 0be985c9647..5625d1d3c91 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -31,7 +31,10 @@ For more detailed information refer to the following blog: _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. ![Dashboard Error](../img/dashboard-ded-error.png) -1. **Enable detection rules**: You can also enable detection rules to alert on Data Exfiltration activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Data Exfiltration Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + +### Enable detection rules + +You can also enable detection rules to alert on Data Exfiltration activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Data Exfiltration Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. ![Data Exfiltration Detection Rules](../img/dedrules.png) *In Security > Rules, filtering with the “Use Case: Data Exfiltration Detection” tag* diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index fadb0c2ca26..55a3c76d88e 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -77,7 +77,9 @@ For more detailed information refer to the following blogs: ``` 1. **(Optional) [Create a data view](https://www.elastic.co/guide/en/kibana/current/data-views.html)** for your network logs. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see `DGA`. When you select the card, you will see a pre-configured anomaly detection job that you can create. Note this job is only useful for indices that have been enriched by the ingest pipeline. -1. **Enable detection rules**: You can also enable detection rules to alert on DGA activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine in **Security > Rules**, and can be found using the tag `Use Case: Domain Generated Algorithm Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. +### Enable detection rules + +You can also enable detection rules to alert on DGA activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine in **Security > Rules**, and can be found using the tag `Use Case: Domain Generated Algorithm Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. ![Domain Generation Detection Detection Rules](../img/dgarules.png) *In **Security > Rules**, filtering with the “Use Case: Domain Generation Algorithm Detection” tag* diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 9059cb6862b..0cb004b9d9e 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -37,14 +37,18 @@ If you are running version 8.18+, the Defend integration only collects a [subset - Index pattern : `.ml-anomalies-shared*` - Select **Show Advanced settings** enable **Allow hidden and system indices** - Custom data view ID: `.ml-anomalies-shared` - + _**Warning**_: When creating the data views for the dashboards, ensure that the `Custom data view ID` is set to the value specified above and is not left empty. Omitting or misconfiguring this field may result in broken visualizations, as illustrated by the error message below. ![Dashboard Error](../img/dashboard-lmd-error.png) -1. **Enabling detection rules**: You can also enable detection rules to alert on Lateral Movement activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Lateral Movement Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + +### Enabling detection rules + +You can also enable detection rules to alert on Lateral Movement activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Lateral Movement Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. + 1. **Use with Living off the Land Detection**: This integration package can be used along with Living off the Land detection, see the section Install Living off the Land package to detect malicious processes. ![Data Exfiltration Detection Rules](../img/lmdrules.png) -*In Security > Rules, filtering with the “Use Case: Lateral Movement Detection” tag* +*In Security > Rules, filtering with the "Use Case: Lateral Movement Detection" tag* ## Dashboard @@ -67,7 +71,7 @@ To customize filters in the Lateral Movement Detection transform, follow the bel ### Install ProblemChild package to detect malicious processes -To detect malicious RDP processes started in a session, install the [Living off the Land Attack (LotL) Detection package](https://docs.elastic.co/integrations/problemchild). Follow the steps under the package [overview](https://docs.elastic.co/integrations/problemchild) to install the related assets. Use the below filter query to examine model predictions on RDP events only. +To detect malicious RDP processes started in a session, install the [Living off the Land Attack (LotL) Detection package](https://docs.elastic.co/integrations/problemchild). Follow the steps under the package [overview](https://docs.elastic.co/integrations/problemchild) to install the related assets. Use the below filter query to examine model predictions on RDP events only. Clone the anomaly detection jobs available under the Living off the Land Attack (LotL) Detection package and follow the below steps to customize them only to process Windows RDP events in the datafeed: 1. Click on the **Actions** panel at the right-most corner of the anomaly detection job and then select the **Edit job** option. @@ -128,7 +132,7 @@ Clone the anomaly detection jobs available under the Living off the Land Attack } ```` -## Anomaly Detection Jobs +## Anomaly Detection Jobs Detects potential lateral movement activity by identifying malicious file transfers and RDP sessions in an environment. @@ -159,7 +163,7 @@ To customize the datafeed query and other settings such as model memory limit, f ![Lateral Movement Detection jobs](../img/lmd_ml_job_4.png) 1. In the cloned job, you can update datafeed settings such as **Frequency** and **Query delay**, which help control how often data is analyzed and account for ingestion delays. ![Lateral Movement Detection jobs](../img/lmd_ml_job_5.png) -1. You can also modify the job configuration by adjusting the **Bucket span** and by adding or removing **Influencers** to improve anomaly attribution. +1. You can also modify the job configuration by adjusting the **Bucket span** and by adding or removing **Influencers** to improve anomaly attribution. ![Lateral Movement Detection jobs](../img/lmd_ml_job_6.png) 1. Finally, assign a new Job ID, and click on **Create job**, and start the datafeed to apply the updated settings. @@ -219,7 +223,7 @@ Depending on the version of the package you're using, you might also be able to - Unusually high number of process arguments in an RDP session - Spike in number of connections made to a source IP - Spike in number of connections made to a destination IP - - Unusual time or day for an RDP session start + - Unusual time or day for an RDP session start Depending on the version of the package you're using, you might also be able to search for the above rules using the tag `Lateral Movement`. - Upgrade the Lateral Movement Detection package to v2.0.0 using the steps [here](https://www.elastic.co/guide/en/fleet/current/upgrade-integration.html) diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index 51dbab26fd9..bf7fe85b8b6 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -119,7 +119,9 @@ For more detailed information refer to the following blogs and webinar: ``` 1. **(Optional) [Create a data view](https://www.elastic.co/guide/en/kibana/current/data-views.html) specificially for your windows process logs (index pattern or data stream name)** 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see `Living off the Land Attack Detection`. When you select the card, you will see several pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. **Warning**: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet. -1. **Enable detection rules**: You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Living off the Land Attack Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. +### Enable detection rules + +You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag `Use Case: Living off the Land Attack Detection`. See this [documentation](https://www.elastic.co/guide/en/security/current/prebuilt-rules-management.html#load-prebuilt-rules) for more information on importing and enabling the rules. ![Domain Generation Detection Detection Rules](../img/lotlrules.png) *In **Security > Rules**, filtering with the “Use Case: Living off the Land Attack Detection” tag* From 6c8c1d74b02a923e4c68c76d86da249260797c25 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Wed, 25 Mar 2026 14:44:49 -0500 Subject: [PATCH 29/44] PAD readme fixes --- packages/pad/docs/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index af74986f4c4..1804410e1db 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -125,11 +125,11 @@ To customize filters in the Privileged Access Detection transform, follow the be | pad_windows_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Windows | | pad_linux_high_count_privileged_process_events_by_user_ea | Detects a spike in privileged commands executed by a user. | Linux | | pad_linux_rare_process_executed_by_user_ea | Detects a rare process executed by a user. | Linux | -| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Okta Integration | +| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Linux | | pad_okta_spike_in_group_membership_changes_ea | Detects spike in group membership change events by a user. | Okta Integration | | pad_okta_spike_in_user_lifecycle_management_changes_ea | Detects spike in user lifecycle management change events by a user. | Okta Integration | | pad_okta_spike_in_group_privilege_changes_ea | Detects spike in group privilege change events by a user. | Okta Integration | -| pad_okta_spike_in_group_application_assignment_change | Detects spike in group application assignment change events by a user. | Okta Integration | +| pad_okta_spike_in_group_application_assignment_changes_ea | Detects spike in group application assignment change events by a user. | Okta Integration | | pad_okta_spike_in_group_lifecycle_changes_ea | Detects spike in group lifecycle change events by a user. | Okta Integration | | pad_okta_high_sum_concurrent_sessions_by_user_ea | Detects an unusual sum of active sessions started by a user. | Okta Integration | | pad_okta_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Okta Integration | From 9432801977ebb536627c7b272d66e9bd506c2701 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 26 Mar 2026 09:38:40 -0500 Subject: [PATCH 30/44] PAD Windows dashboard/rare region job fixes --- .../dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json | 4 ++-- .../pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json | 4 ++-- packages/pad/kibana/ml_module/pad-ml.json | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json index b65abbbed28..c3c6b293b23 100644 --- a/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json +++ b/packages/pad/kibana/dashboard/pad-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events\\\" or \\\"pad_windows_high_count_special_logon_events\\\" or \\\"pad_windows_high_count_special_privilege_use_events\\\" or \\\"pad_windows_high_count_user_account_management_events\\\" or \\\"pad_windows_rare_device_by_user\\\" or \\\"pad_windows_rare_group_name_by_user\\\" or \\\"pad_windows_rare_source_ip_by_user\\\" or \\\"pad_windows_rare_privilege_assigned_to_user\\\" or \\\"pad_windows_rare_region_name_by_user\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events\",\"pad_windows_high_count_special_logon_events\",\"pad_windows_high_count_special_privilege_use_events\",\"pad_windows_high_count_user_account_management_events\",\"pad_windows_rare_device_by_user\",\"pad_windows_rare_group_name_by_user\",\"pad_windows_rare_privilege_assigned_to_user\",\"pad_windows_rare_region_name_by_user\",\"pad_windows_rare_source_ip_by_user\"],\"panelTitle\":\"ML anomaly swim lane for pad_windows_high_count_group_management_events, pad_windows_high_count_special_logon_events, pad_windows_high_count_special_privilege_use_events, pad_windows_high_count_user_account_management_events, pad_windows_rare_device_by_user, pad_windows_rare_group_name_by_user, pad_windows_rare_privilege_assigned_to_user, pad_windows_rare_region_name_by_user, pad_windows_rare_source_ip_by_user\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Windows]", "version": 1 diff --git a/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json index 3ca33a16e71..f3e76cd3dd3 100644 --- a/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json +++ b/packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json @@ -3,7 +3,7 @@ "description": "This dashboard offers an overview of anomalies identified in Windows logs by the Privileged Access Detection package.", "hits": 0, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_ea\\\" or \\\"pad_windows_high_count_special_logon_events_ea\\\" or \\\"pad_windows_high_count_special_privilege_use_events_ea\\\" or \\\"pad_windows_high_count_user_account_management_events_ea\\\" or \\\"pad_windows_rare_device_by_user_ea\\\" or \\\"pad_windows_rare_group_name_by_user_ea\\\" or \\\"pad_windows_rare_source_ip_by_user_ea\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_ea\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" + "searchSourceJSON": "{\"query\":{\"query\":\"job_id: (\\\"pad_windows_high_count_group_management_events_ea\\\" or \\\"pad_windows_high_count_special_logon_events_ea\\\" or \\\"pad_windows_high_count_special_privilege_use_events_ea\\\" or \\\"pad_windows_high_count_user_account_management_events_ea\\\" or \\\"pad_windows_rare_device_by_user_ea\\\" or \\\"pad_windows_rare_group_name_by_user_ea\\\" or \\\"pad_windows_rare_source_ip_by_user_ea\\\" or \\\"pad_windows_rare_privilege_assigned_to_user_ea\\\" or \\\"pad_windows_rare_region_name_by_user_ea\\\" ) \\n\\n\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"type\":\"custom\",\"disabled\":false,\"negate\":false,\"alias\":null,\"key\":\"query\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"bool\":{\"filter\":[{\"term\":{\"result_type\":{\"value\":\"record\"}}}]}}}]}" }, "optionsJSON": { "hidePanelTitles": false, @@ -11,7 +11,7 @@ "syncTooltips": false, "useMargins": true }, - "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_ea\",\"pad_windows_high_count_special_logon_events_ea\",\"pad_windows_high_count_special_privilege_use_events_ea\",\"pad_windows_high_count_user_account_management_events_ea\",\"pad_windows_rare_device_by_user_ea\",\"pad_windows_rare_group_name_by_user_ea\",\"pad_windows_rare_privilege_assigned_to_user_ea\",\"pad_windows_rare_region_name_by_user_ea\",\"pad_windows_rare_source_ip_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_linux_high_count_privileged_process_events_by_user_ea, pad_linux_high_sum_process_command_line_entropy_by_user, pad_linux_rare_process_executed_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", + "panelsJSON": "[{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":8,\"i\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\"},\"panelIndex\":\"c969fd47-15df-4011-8fa3-2a27825ad0f6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\",\"size\":\"l\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous host names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of hosts affected\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":0,\"w\":11,\"h\":8,\"i\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\"},\"panelIndex\":\"16a69c4e-a9e3-4ec0-aa9a-11ba40d873bd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-4a3eb6a5-00f0-40bb-a514-4624c8ecf975\"}],\"state\":{\"visualization\":{\"layerId\":\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\",\"accessor\":\"38c1895e-f712-49ad-b793-1468d2fd02dc\",\"layerType\":\"data\",\"size\":\"l\",\"titlePosition\":\"bottom\",\"textAlign\":\"center\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"9b5b5af7-b12d-4f9e-98e4-eb78ca6a3de3\",\"type\":\"exists\",\"key\":\"host.name\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"host.name\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4a3eb6a5-00f0-40bb-a514-4624c8ecf975\":{\"columns\":{\"38c1895e-f712-49ad-b793-1468d2fd02dc\":{\"label\":\"Anomalous user names detected\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"user.name\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"38c1895e-f712-49ad-b793-1468d2fd02dc\"],\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":true,\"enhancements\":{}},\"title\":\"Number of users affected\"},{\"type\":\"ml_anomaly_swimlane\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":19,\"i\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\"},\"panelIndex\":\"dce1e8da-3b99-4852-a222-3e0f276dee0e\",\"embeddableConfig\":{\"jobIds\":[\"pad_windows_high_count_group_management_events_ea\",\"pad_windows_high_count_special_logon_events_ea\",\"pad_windows_high_count_special_privilege_use_events_ea\",\"pad_windows_high_count_user_account_management_events_ea\",\"pad_windows_rare_device_by_user_ea\",\"pad_windows_rare_group_name_by_user_ea\",\"pad_windows_rare_privilege_assigned_to_user_ea\",\"pad_windows_rare_region_name_by_user_ea\",\"pad_windows_rare_source_ip_by_user_ea\"],\"panelTitle\":\"ML anomaly swim lane for pad_windows_high_count_group_management_events_ea, pad_windows_high_count_special_logon_events_ea, pad_windows_high_count_special_privilege_use_events_ea, pad_windows_high_count_user_account_management_events_ea, pad_windows_rare_device_by_user_ea, pad_windows_rare_group_name_by_user_ea, pad_windows_rare_privilege_assigned_to_user_ea, pad_windows_rare_region_name_by_user_ea, pad_windows_rare_source_ip_by_user_ea\",\"swimlaneType\":\"viewBy\",\"viewBy\":\"job ID\",\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected by their Job ID and Severity\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":11,\"h\":11,\"i\":\"26531c0e-a776-4e6f-badd-8766f77d9134\"},\"panelIndex\":\"26531c0e-a776-4e6f-badd-8766f77d9134\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false,\"alignment\":\"left\"},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"User names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 User names\"},{\"type\":\"lens\",\"gridData\":{\"x\":11,\"y\":8,\"w\":11,\"h\":11,\"i\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\"},\"panelIndex\":\"271a8d58-3d1b-44d9-93da-338c9f91867a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-390b338f-2020-4d73-95ae-3934bae7f6b6\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"isTransposed\":false,\"isMetric\":false,\"hidden\":false},{\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\",\"isTransposed\":false,\"isMetric\":true}],\"layerId\":\"390b338f-2020-4d73-95ae-3934bae7f6b6\",\"layerType\":\"data\",\"headerRowHeight\":\"auto\",\"rowHeight\":\"auto\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"390b338f-2020-4d73-95ae-3934bae7f6b6\":{\"columns\":{\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\":{\"label\":\"Host names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"05043aa4-cc1e-429b-8046-fbcdd4092879\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"05043aa4-cc1e-429b-8046-fbcdd4092879\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df6aae62-34c2-48ab-8a7f-a92e0f63fc99\",\"05043aa4-cc1e-429b-8046-fbcdd4092879\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Host names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":10,\"i\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\"},\"panelIndex\":\"502e0249-fc8c-4d26-8f1e-d8f434d8e7c7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-633758dc-f315-45ef-8ff3-055ba6778160\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"633758dc-f315-45ef-8ff3-055ba6778160\",\"accessors\":[\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e4087b8-5e9b-4040-8c21-231649fdaf27\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"633758dc-f315-45ef-8ff3-055ba6778160\":{\"columns\":{\"2e4087b8-5e9b-4040-8c21-231649fdaf27\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"e0821c61-d9f8-46af-9b64-9b70c3353106\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e4087b8-5e9b-4040-8c21-231649fdaf27\",\"e0821c61-d9f8-46af-9b64-9b70c3353106\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Anomalies detected over time\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":12,\"h\":12,\"i\":\"920f2dd3-3628-4298-866a-da34c82431c2\"},\"panelIndex\":\"920f2dd3-3628-4298-866a-da34c82431c2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Event types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Event types\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":29,\"w\":12,\"h\":12,\"i\":\"02255922-d40f-4757-92c2-b53596a73f5e\"},\"panelIndex\":\"02255922-d40f-4757-92c2-b53596a73f5e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Privilege types\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"privilege_type\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Privilege types\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":29,\"w\":24,\"h\":12,\"i\":\"5318144f-ddf3-4f86-919f-0192feec779f\"},\"panelIndex\":\"5318144f-ddf3-4f86-919f-0192feec779f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-d4fef95e-d937-4dd8-9a7f-783e5142c701\"}],\"state\":{\"visualization\":{\"title\":\"Empty XY chart\",\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"d4fef95e-d937-4dd8-9a7f-783e5142c701\",\"accessors\":[\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d4fef95e-d937-4dd8-9a7f-783e5142c701\":{\"columns\":{\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\":{\"label\":\"Top 10 process names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9dbc8b1f-ac0a-4d0a-bea4-aa2d561b073c\",\"a29c7a07-4944-49d4-a96e-de6386fa1c0d\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Process names\"},{\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":41,\"w\":12,\"h\":12,\"i\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\"},\"panelIndex\":\"0d20b661-2d10-4b29-8c22-74411dd468cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Source IPs\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Source IPs\"},{\"type\":\"lens\",\"gridData\":{\"x\":12,\"y\":41,\"w\":12,\"h\":12,\"i\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\"},\"panelIndex\":\"8c0e0fe0-dbe3-4444-a341-b57559b4a7c0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-334a1618-eb26-4703-b8db-ec82f0cb26c9\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"3241c0e1-93a2-4bba-be89-09995140bf64\"},{\"isTransposed\":false,\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"}],\"layerId\":\"334a1618-eb26-4703-b8db-ec82f0cb26c9\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"334a1618-eb26-4703-b8db-ec82f0cb26c9\":{\"columns\":{\"3241c0e1-93a2-4bba-be89-09995140bf64\":{\"label\":\"Group names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"group.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"74c22855-1b40-4e83-9333-e5f3203a0a28\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"74c22855-1b40-4e83-9333-e5f3203a0a28\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"3241c0e1-93a2-4bba-be89-09995140bf64\",\"74c22855-1b40-4e83-9333-e5f3203a0a28\"],\"incompleteColumns\":{},\"sampling\":1,\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Group names\"},{\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":41,\"w\":24,\"h\":12,\"i\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\"},\"panelIndex\":\"2762a942-0d53-4420-82c2-72bd991e7e7d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\".ml-anomalies-shared\",\"name\":\"indexpattern-datasource-layer-18a81053-4dec-4f8f-97b9-2cfbb5150300\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_horizontal\",\"layers\":[{\"layerId\":\"18a81053-4dec-4f8f-97b9-2cfbb5150300\",\"seriesType\":\"bar_horizontal\",\"xAccessor\":\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"accessors\":[\"70751b16-f471-4176-b754-1680309d4477\"],\"yConfig\":[{\"forAccessor\":\"70751b16-f471-4176-b754-1680309d4477\",\"color\":\"#6092c0\"}],\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"18a81053-4dec-4f8f-97b9-2cfbb5150300\":{\"columns\":{\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\":{\"label\":\"Top 10 region names\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.geo.region_name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"70751b16-f471-4176-b754-1680309d4477\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"70751b16-f471-4176-b754-1680309d4477\":{\"label\":\"Count of anomalies\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4e9561b0-10f9-4354-a0ad-bf3f58f7ee4e\",\"70751b16-f471-4176-b754-1680309d4477\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{},\"indexPatternId\":\".ml-anomalies-shared\"}},\"currentIndexPatternId\":\".ml-anomalies-shared\"},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 Geo-regions\"}]", "timeRestore": false, "title": "Privileged Access Detection Dashboard [Windows] (Entity Analytics)", "version": 1 diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index f46781b8a5e..cafb5bd1f3d 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -420,6 +420,7 @@ "user.name", "event.module", "user.id", + "source.geo.region_name", "source.geo.city_name", "source.geo.country_name", "winlog.event_data.PrivilegeList", From 1fb8987027e6432ff31f12c6fc840036d1f83d83 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 26 Mar 2026 10:17:01 -0500 Subject: [PATCH 31/44] add missing by/over/partition field names to influencers --- packages/lmd/kibana/ml_module/lmd-ml.json | 3 +++ packages/pad/kibana/ml_module/pad-ml.json | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 37188224cd6..7cef858984b 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -63,6 +63,7 @@ "user.name", "event.module", "user.id", + "event.action", "process.name" ] }, @@ -137,6 +138,7 @@ "user.name", "event.module", "user.id", + "file.extension", "file.name" ] }, @@ -174,6 +176,7 @@ "user.name", "event.module", "user.id", + "file_directory", "file.path" ] }, diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index cafb5bd1f3d..8e32509869a 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -101,6 +101,7 @@ "user.name", "event.module", "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.PrivilegeList", "winlog.event_data.TargetUserName", @@ -142,6 +143,7 @@ "user.name", "event.module", "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.PrivilegeList", "process.name" @@ -182,6 +184,7 @@ "user.name", "event.module", "user.id", + "event.action", "winlog.event_data.SubjectUserName", "group.name", "winlog.event_data.TargetUserName" @@ -222,6 +225,7 @@ "user.name", "event.module", "user.id", + "event.action", "winlog.event_data.SubjectUserName", "winlog.event_data.TargetUserName" ] @@ -576,6 +580,7 @@ "user.name", "user.email", "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name" @@ -616,6 +621,7 @@ "user.name", "user.email", "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name" @@ -656,6 +662,7 @@ "user.name", "user.email", "event.module", + "okta.event_type", "source.user.full_name", "user.target.full_name", "user.target.group.name", @@ -698,6 +705,7 @@ "user.name", "user.email", "event.module", + "okta.event_type", "source.user.full_name", "user.target.group.name" ] @@ -737,6 +745,7 @@ "user.name", "user.email", "event.module", + "okta.event_type", "source.user.full_name", "user.target.group.name" ] @@ -813,6 +822,7 @@ "agent.name", "user.name", "user.email", + "source.ip", "source.user.full_name", "user.target.group.name", "okta.event_type" @@ -852,6 +862,7 @@ "agent.name", "user.name", "user.email", + "client.geo.region_name", "source.user.full_name", "user.target.group.name", "okta.event_type", From 6bc505c91b7080a8754901e41f396bae9ccff273 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:55:08 -0500 Subject: [PATCH 32/44] add additional influencers fields from `field_name` --- packages/ded/kibana/ml_module/ded-ml.json | 18 ++++++++++------ packages/lmd/kibana/ml_module/lmd-ml.json | 21 ++++++++++++------- packages/pad/kibana/ml_module/pad-ml.json | 6 ++++-- .../kibana/ml_module/problemchild-ml.json | 9 +++++--- 4 files changed, 36 insertions(+), 18 deletions(-) diff --git a/packages/ded/kibana/ml_module/ded-ml.json b/packages/ded/kibana/ml_module/ded-ml.json index e0443e3584e..b6d7476e082 100644 --- a/packages/ded/kibana/ml_module/ded-ml.json +++ b/packages/ded/kibana/ml_module/ded-ml.json @@ -78,7 +78,8 @@ "destination.ip", "destination.geo.continent_name", "destination.geo.country_name", - "destination.geo.country_iso_code" + "destination.geo.country_iso_code", + "source.bytes" ] }, "data_description": { @@ -117,7 +118,8 @@ "user.id", "process.name", "source.ip", - "destination.ip" + "destination.ip", + "source.bytes" ] }, "data_description": { @@ -157,7 +159,8 @@ "process.name", "source.ip", "destination.ip", - "destination.port" + "destination.port", + "source.bytes" ] }, "data_description": { @@ -198,7 +201,8 @@ "source.ip", "destination.ip", "destination.geo.city_name", - "destination.geo.region_name" + "destination.geo.region_name", + "source.bytes" ] }, "data_description": { @@ -238,7 +242,8 @@ "file.name", "file.path", "file.Ext.device.bus_type", - "process.name" + "process.name", + "file.size" ] }, "data_description": { @@ -317,7 +322,8 @@ "user.id", "file.name", "file.path", - "process.name" + "process.name", + "file.size" ] }, "data_description": { diff --git a/packages/lmd/kibana/ml_module/lmd-ml.json b/packages/lmd/kibana/ml_module/lmd-ml.json index 7cef858984b..3562dbf5cd3 100644 --- a/packages/lmd/kibana/ml_module/lmd-ml.json +++ b/packages/lmd/kibana/ml_module/lmd-ml.json @@ -101,7 +101,8 @@ "user.name", "event.module", "user.id", - "process.name" + "process.name", + "file.size" ] }, "data_description": { @@ -222,7 +223,8 @@ "event.module", "user.id", "source.ip", - "destination.ip" + "destination.ip", + "session.duration" ] }, "data_description": { @@ -267,7 +269,8 @@ "event.module", "user.id", "source.ip", - "destination.ip" + "destination.ip", + "session.duration" ] }, "data_description": { @@ -312,7 +315,8 @@ "event.module", "user.id", "source.ip", - "destination.ip" + "destination.ip", + "number_processes_per_session" ] }, "data_description": { @@ -386,7 +390,8 @@ "user.name", "event.module", "user.id", - "destination.ip" + "destination.ip", + "source.ip" ] }, "data_description": { @@ -423,7 +428,8 @@ "user.name", "event.module", "user.id", - "source.ip" + "source.ip", + "destination.ip" ] }, "data_description": { @@ -468,7 +474,8 @@ "event.module", "user.id", "source.ip", - "destination.ip" + "destination.ip", + "total_length_process_args" ] }, "data_description": { diff --git a/packages/pad/kibana/ml_module/pad-ml.json b/packages/pad/kibana/ml_module/pad-ml.json index 8e32509869a..0471bb99eb0 100644 --- a/packages/pad/kibana/ml_module/pad-ml.json +++ b/packages/pad/kibana/ml_module/pad-ml.json @@ -542,7 +542,8 @@ "user.name", "event.module", "user.id", - "process.command_line" + "process.command_line", + "process.command_line_entropy" ] }, "data_description": { @@ -785,7 +786,8 @@ "event.module", "host.name", "agent.name", - "source.user.full_name" + "source.user.full_name", + "okta_distinct_ips" ] }, "data_description": { diff --git a/packages/problemchild/kibana/ml_module/problemchild-ml.json b/packages/problemchild/kibana/ml_module/problemchild-ml.json index 6f59ce8232c..111fefc2d5f 100644 --- a/packages/problemchild/kibana/ml_module/problemchild-ml.json +++ b/packages/problemchild/kibana/ml_module/problemchild-ml.json @@ -104,7 +104,8 @@ "user.name", "event.module", "user.id", - "process.command_line" + "process.command_line", + "blocklist_label" ] }, "data_description": { @@ -226,7 +227,8 @@ "user.id", "host.name", "host.id", - "process.command_line" + "process.command_line", + "blocklist_label" ] }, "data_description": { @@ -272,7 +274,8 @@ "host.id", "user.name", "event.module", - "user.id" + "user.id", + "blocklist_label" ] }, "data_description": { From 883a6a238aba2fa5fd43b5c7c6eef307dbbf9920 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 31 Mar 2026 08:03:43 -0500 Subject: [PATCH 33/44] Update packages/ded/docs/README.md Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- packages/ded/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index b94a6c484b5..cb1d1b90d19 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -16,7 +16,7 @@ The following blog provides additional context. For the most current installatio 1. **Check the health of the transform**: The transform is scheduled to run every 30 minutes. This transform creates the index `ml_network_ded_ea-`. To check the health of the transform go to **Management > Stack Management > Data > Transforms** under `logs-ded.pivot_transform_ea-default-`. Follow the instructions under the header `Customize Data Exfiltration Detection Transform` below to adjust filters based on your environment's needs. 1. **Create data views for anomaly detection jobs**: This package contains anomaly detection jobs that work on network events (e.g. `logs-endpoint.events.network-*`) and file events (`logs-endpoint.events.file-*`) respectively. See the _Anomaly Detection Jobs_ section below for more details. _Tip: If you only have one of the above data sources (network or file), you can only follow the steps pertaining to that index._ A separate designated index (`ml_network_ded_ea.all`) collects network logs from a transform. Before enabling the anomaly detection jobs, create a data view with both index patterns. 1. Go to **Stack Management > Kibana > Data Views** and click **Create data view**. - 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending which one(s) you have), `ml_network_ded_ea.all`, and copy the same in the **Name** field. + 1. Enter the name of your respective index patterns in the **Index pattern** box, i.e., `logs-endpoint.events.file-*`, `logs-endpoint.events.network-*` (depending on which one(s) you have), `ml_network_ded_ea.all`, and copy the same in the **Name** field. 1. Select `@timestamp` under the **Timestamp** field and click on **Save data view to Kibana**. 1. Use the new data view (`logs-endpoint.events.network-*`, `logs-endpoint.events.file-*`, `ml_network_ded_ea.all`) to create anomaly detection jobs for this package. 1. **Add preconfigured anomaly detection jobs**: In **Stack Management -> Anomaly Detection Jobs**, you will see **Select data view or saved search**. Select the data view created in the previous step. Then under `Use preconfigured jobs` you will see **Data Exfiltration Detection**. If you do not see this card, events must be ingested from a source that matches the query specified in the [ded-ml file](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json#L10), such as Elastic Defend. When you select the card, you will see pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. If you are using Elastic Defend to collect events, file events are in `logs-endpoint.events.file-*` and network events in `logs-endpoint.events.network-*`. If you are only collecting file or network events, select only the relevant jobs at this step. From 16f3ea684767a5c6b00411c9899fa845356d55b2 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:14:41 -0500 Subject: [PATCH 34/44] update readmes for concurrent rule release --- packages/ded/docs/README.md | 3 ++- packages/dga/docs/README.md | 3 ++- packages/hta/docs/README.md | 2 +- packages/lmd/docs/README.md | 3 ++- packages/pad/docs/README.md | 3 ++- packages/problemchild/docs/README.md | 3 ++- 6 files changed, 11 insertions(+), 6 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index cb1d1b90d19..e042d69d772 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -105,7 +105,8 @@ v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index a6b31e1a31e..f9f3ec8743f 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -113,7 +113,8 @@ v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. - Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. The new Entity Analytics ML job IDs are: - `dga_high_sum_probability_ea` diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 9e3a9be26f2..3412cc32749 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -22,7 +22,7 @@ v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. - Previously installed `Security: Host` ML jobs will continue to run, allowing time to transition to the new Entity Analytics jobs. -- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. - A new dashboard is available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs from before this version, the original dashboard without the suffix remains available. The new Entity Analytics ML job IDs for this dashboard are: diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index d86fa9e1e84..e6daabb8260 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -173,7 +173,8 @@ v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 1804410e1db..b123b8c6bd6 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -159,7 +159,8 @@ v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index bb39bf505d0..9d613216fb9 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -162,7 +162,8 @@ v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic St - The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. - Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs first and verifying that they are properly set up, collecting data, and generating anomalies before upgrading to the latest detection rules included in 9.4. +- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. The new Entity Analytics ML job IDs are: - `problem_child_rare_process_by_host_ea` From 1e9b260e3cb44a3bde4b91f9aa75224368a36e98 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:13:34 -0500 Subject: [PATCH 35/44] Add filter field data for transforms and jobs to readmes, improve documentation on beats --- packages/beaconing/docs/README.md | 6 ++-- packages/ded/docs/README.md | 24 ++++++------- packages/dga/docs/README.md | 8 ++--- packages/lmd/docs/README.md | 36 ++++++++++++------- packages/pad/docs/README.md | 54 ++++++++++++++-------------- packages/problemchild/docs/README.md | 16 ++++----- 6 files changed, 77 insertions(+), 67 deletions(-) diff --git a/packages/beaconing/docs/README.md b/packages/beaconing/docs/README.md index fac74c2f0bb..27d7a17ba81 100644 --- a/packages/beaconing/docs/README.md +++ b/packages/beaconing/docs/README.md @@ -32,9 +32,9 @@ The following blog provides additional context. For the most current installatio To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | Supported Platforms | -|---------------------------|----------------------------------------------|--------------|-------------------------|------------------|-----------------------| -| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|---------------------------|----------------------------------------------|--------------|------------------------|------------------|-----------------------|----------------| +| beaconing.pivot_transform | Flags beaconing activity in your environment | logs-* | ml_beaconing-[version] | ml_beaconing.all | Linux, macOS, Windows | network | When querying the destination index to enquire about beaconing activities, we advise using the alias for the destination index (`ml_beaconing.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index e042d69d772..b1b1d1e3460 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -43,9 +43,9 @@ You can also enable detection rules to alert on Data Exfiltration activity in yo To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | -| ------------------- | ------------------------------------------- | ------------ | ------------------------ | ------------------ | -| ded.pivot_transform_ea | Collects network logs from your environment | logs-* | ml_network_ded_ea-[version] | ml_network_ded_ea.all | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|------------------------|---------------------------------------------|--------------|-----------------------------|-----------------------|--------------------|----------------| +| ded.pivot_transform_ea | Collects network logs from your environment | logs-* | ml_network_ded_ea-[version] | ml_network_ded_ea.all | Linux, Windows | network | **Note**: The transform applies only to network data and does not currently support macOS network logs. @@ -72,15 +72,15 @@ After the data view for the dashboard is configured, the **Data Exfiltration Det ### Anomaly Detection Jobs -| Job | Description | Supported Platform | Event Category | -| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------ | ----- | -| ded_high_sent_bytes_destination_geo_country_iso_code_ea | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | -| ded_high_sent_bytes_destination_ip_ea | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | -| ded_high_sent_bytes_destination_port_ea | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | -| ded_high_sent_bytes_destination_region_name_ea | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | -| ded_high_bytes_written_to_external_device_ea | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | -| ded_rare_process_writing_to_external_device_ea | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | -| ded_high_bytes_written_to_external_device_airdrop_ea | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | +| Job | Description | Supported Platform | Event Category | +|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------------|----------------| +| ded_high_sent_bytes_destination_geo_country_iso_code_ea | Detects data exfiltration to an unusual geo-location (by country iso code). | Linux, Windows | network | +| ded_high_sent_bytes_destination_ip_ea | Detects data exfiltration to an unusual geo-location (by IP address). | Linux, Windows | network | +| ded_high_sent_bytes_destination_port_ea | Detects data exfiltration to an unusual destination port. | Linux, Windows | network | +| ded_high_sent_bytes_destination_region_name_ea | Detects data exfiltration to an unusual geo-location (by region name). | Linux, Windows | network | +| ded_high_bytes_written_to_external_device_ea | Detects data exfiltration activity by identifying high bytes written to an external device. | Windows | file | +| ded_rare_process_writing_to_external_device_ea | Detects data exfiltration activity by identifying a writing event started by a rare process to an external device. | Windows | file | +| ded_high_bytes_written_to_external_device_airdrop_ea | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | macOS | file | ## Customize ML jobs for Data Exfiltration Detection diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index f9f3ec8743f..0f66f86693a 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -2,7 +2,7 @@ The Domain Generation Algorithm (DGA) Detection package contains assets to detect DGA activity in your network data. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under [Elastic License 2.0](https://www.elastic.co/licensing/elastic-license). -This package leverages event logs on Linux, macOS, and Windows. Prior to using this integration, you must have Elastic Endpoint via Elastic Defend, or have equivalent tools/endpoints set up. If using Elastic Defend, Elastic Defend should be installed through Elastic Agent and collecting data from hosts. See [Configure endpoint protection with Elastic Defend](https://www.elastic.co/docs/solutions/security/configure-elastic-defend) for more information. +This package supports data from Elastic Endpoint via Elastic Defend or Packetbeat on Linux, macOS, and Windows, although Elastic Defend is recommended. Prior to using this integration, Elastic Defend should be installed through Elastic Agent (or Packetbeat should be enrolled) and collecting data from hosts. See [Configure endpoint protection with Elastic Defend](https://www.elastic.co/docs/solutions/security/configure-elastic-defend) for more information. **Note**: In versions 2.0.1 and later, this package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices. @@ -86,9 +86,9 @@ You can also enable detection rules to alert on DGA activity in your environment ## Anomaly Detection Jobs -| Job | Description | -|---|---| -| dga_high_sum_probability_ea | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.| +| Job | Description | Supported Platform | Network Protocol | +|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|------------------| +| dga_high_sum_probability_ea | Detects potential DGA (domain generation algorithm) activity that is often used by malware command and control (C2) channels. Looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. | Linux, macOS, Windows | dns | ## Customize ML jobs for Domain Generation Algorithm Detection diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index e6daabb8260..bb307e4b1ba 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -50,6 +50,16 @@ You can also enable detection rules to alert on Lateral Movement activity in you ![Data Exfiltration Detection Rules](../img/lmdrules.png) *In Security > Rules, filtering with the "Use Case: Lateral Movement Detection" tag* +## Transform + +To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. + +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | Event Category | +|------------------------|--------------------------------------------------------|--------------|-------------------|-------|--------------------|----------------| +| lmd.pivot_transform_ea | Collects RDP session information from your environment | logs-* | ml-rdp-lmd_ea | | Windows | process | + +When querying the destination index (`ml-rdp-lmd_ea`) for RDP session logs, we advise using the destination index directly. In the event that the underlying package is upgraded, it will aid in maintaining the previous findings. + ## Dashboard After the anomaly detectors and the data views for the dashboard are configured, the **Lateral Movement Detection Dashboard** is available under **Analytics > Dashboard**. This dashboard gives an overview of anomalies triggered for the lateral movement detection package. @@ -136,19 +146,19 @@ Clone the anomaly detection jobs available under the Living off the Land Attack Detects potential lateral movement activity by identifying malicious file transfers and RDP sessions in an environment. -| Job | Description | Supported Platform | -|-------------------------------------------------------|-------------------------------------------------------------------------------------------------| --------------------- | -| lmd_high_count_remote_file_transfer_ea | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | -| lmd_high_file_size_remote_file_transfer_ea | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | -| lmd_rare_file_extension_remote_transfer_ea | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | -| lmd_rare_file_path_remote_transfer_ea | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | -| lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | Windows | -| lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | Windows | -| lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | Windows | -| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an unusual time or weekday. | Windows | -| lmd_high_rdp_distinct_count_source_ip_for_destination_ea | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | -| lmd_high_rdp_distinct_count_destination_ip_for_source_ea | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | -| lmd_high_mean_rdp_process_args_ea | Detects unusually high number of process arguments in an RDP session. | Windows | +| Job | Description | Supported Platform | Filter Field | +|----------------------------------------------------------|-------------------------------------------------------------------------------------------------|-----------------------|-----------------------------| +| lmd_high_count_remote_file_transfer_ea | Detects unusually high file transfers to a remote host in the network. | Linux, macOS, Windows | `event.category: file` | +| lmd_high_file_size_remote_file_transfer_ea | Detects unusually high size of files shared with a remote host in the network. | Linux, macOS, Windows | `event.category: file` | +| lmd_rare_file_extension_remote_transfer_ea | Detects rare file extensions shared with a remote host in the network. | macOS, Windows | `event.category: file` | +| lmd_rare_file_path_remote_transfer_ea | Detects unusual folders and directories on which a file is transferred (by a host). | macOS, Windows | `event.category: file` | +| lmd_high_mean_rdp_session_duration_ea | Detects unusually high mean of RDP session duration. | Windows | `session.start_time` exists | +| lmd_high_var_rdp_session_duration_ea | Detects unusually high variance in RDP session duration. | Windows | `session.start_time` exists | +| lmd_high_sum_rdp_number_of_processes_ea | Detects unusually high number of processes started in a single RDP session. | Windows | `session.start_time` exists | +| lmd_unusual_time_weekday_rdp_session_start_ea | Detects an RDP session started at an unusual time or weekday. | Windows | `session.start_time` exists | +| lmd_high_rdp_distinct_count_source_ip_for_destination_ea | Detects a high count of source IPs making an RDP connection with a single destination IP. | Windows | `session.start_time` exists | +| lmd_high_rdp_distinct_count_destination_ip_for_source_ea | Detects a high count of destination IPs establishing an RDP connection with a single source IP. | Windows | `session.start_time` exists | +| lmd_high_mean_rdp_process_args_ea | Detects unusually high number of process arguments in an RDP session. | Windows | `session.start_time` exists | ## Customize ML jobs for Lateral Movement Detection diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index b123b8c6bd6..1197a8e3701 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -88,10 +88,10 @@ The package transform supports data from Elastic Endpoint via Elastic Defend and To inspect the installed assets, you can navigate to **Stack Management > Data > Transforms**. -| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | -|--------------------------------------------|--------------------------------------------------------------------|---------------|------------------------------------------------|--------------------------------------- | ------------------ | -| pad.pivot_transform_okta_sessions_ea | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_ea-[version] | ml_okta_multiple_user_sessions_pad_ea.all | Okta | -| pad.pivot_transform_win_privilege_list_ea | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_ea-[version] | ml_windows_privilege_type_pad_ea.all | Windows | +| Transform name | Purpose | Source index | Destination index | Alias | Supported Platform | +|-------------------------------------------|-------------------------------------------------------------------|--------------|-------------------------------------------------|-------------------------------------------|--------------------| +| pad.pivot_transform_okta_sessions_ea | Collects user session information for Okta events | logs-* | ml_okta_multiple_user_sessions_pad_ea-[version] | ml_okta_multiple_user_sessions_pad_ea.all | Okta | +| pad.pivot_transform_win_privilege_list_ea | Collects special privileges assigned to a user for Windows events | logs-* | ml_windows_privilege_type_pad_ea-[version] | ml_windows_privilege_type_pad_ea.all | Windows | When querying the destination indices for Okta and Windows logs, we advise using the alias for the destination index (`ml_okta_multiple_user_sessions_pad_ea.all` and `ml_windows_privilege_type_pad_ea.all`). In the event that the underlying package is upgraded, the alias will aid in maintaining the previous findings. @@ -112,29 +112,29 @@ To customize filters in the Privileged Access Detection transform, follow the be ### Anomaly Detection Jobs -| Job | Description | Supported Platform | -|------------------------------------------------------------|------------------------------------------------------------------------------------------------|----------------------| -| pad_windows_high_count_special_logon_events_ea | Detects unusually high special logon events initiated by a user. | Windows | -| pad_windows_high_count_special_privilege_use_events_ea | Detects unusually high special privilege use events initiated by a user. | Windows | -| pad_windows_high_count_group_management_events_ea | Detects unusually high security group management events initiated by a user. | Windows | -| pad_windows_high_count_user_account_management_events_ea | Detects unusually high security user account management events initiated by a user. | Windows | -| pad_windows_rare_privilege_assigned_to_user_ea | Detects an unusual privilege type assigned to a user. | Windows | -| pad_windows_rare_group_name_by_user_ea | Detects an unusual group name accessed by a user. | Windows | -| pad_windows_rare_device_by_user_ea | Detects an unusual device accessed by a user. | Windows | -| pad_windows_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Windows | -| pad_windows_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Windows | -| pad_linux_high_count_privileged_process_events_by_user_ea | Detects a spike in privileged commands executed by a user. | Linux | -| pad_linux_rare_process_executed_by_user_ea | Detects a rare process executed by a user. | Linux | -| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Linux | -| pad_okta_spike_in_group_membership_changes_ea | Detects spike in group membership change events by a user. | Okta Integration | -| pad_okta_spike_in_user_lifecycle_management_changes_ea | Detects spike in user lifecycle management change events by a user. | Okta Integration | -| pad_okta_spike_in_group_privilege_changes_ea | Detects spike in group privilege change events by a user. | Okta Integration | -| pad_okta_spike_in_group_application_assignment_changes_ea | Detects spike in group application assignment change events by a user. | Okta Integration | -| pad_okta_spike_in_group_lifecycle_changes_ea | Detects spike in group lifecycle change events by a user. | Okta Integration | -| pad_okta_high_sum_concurrent_sessions_by_user_ea | Detects an unusual sum of active sessions started by a user. | Okta Integration | -| pad_okta_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Okta Integration | -| pad_okta_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Okta Integration | -| pad_okta_rare_host_name_by_user_ea | Detects an unusual host name for a user. | Okta Integration | +| Job | Description | Supported Platform | Filter Field | +|---------------------------------------------------------------|------------------------------------------------------------------------------------------------|--------------------|-------------------------------------| +| pad_windows_high_count_special_logon_events_ea | Detects unusually high special logon events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_special_privilege_use_events_ea | Detects unusually high special privilege use events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_group_management_events_ea | Detects unusually high security group management events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_high_count_user_account_management_events_ea | Detects unusually high security user account management events initiated by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_privilege_assigned_to_user_ea | Detects an unusual privilege type assigned to a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_group_name_by_user_ea | Detects an unusual group name accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_device_by_user_ea | Detects an unusual device accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Windows | `host.os.type: windows` | +| pad_windows_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Windows | `host.os.type: windows` | +| pad_linux_high_count_privileged_process_events_by_user_ea | Detects a spike in privileged commands executed by a user. | Linux | `host.os.type: linux` | +| pad_linux_rare_process_executed_by_user_ea | Detects a rare process executed by a user. | Linux | `host.os.type: linux` | +| pad_linux_high_median_process_command_line_entropy_by_user_ea | Detects process command lines executed by a user with an abnormally high median entropy value. | Linux | `host.os.type: linux` | +| pad_okta_spike_in_group_membership_changes_ea | Detects spike in group membership change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_user_lifecycle_management_changes_ea | Detects spike in user lifecycle management change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_privilege_changes_ea | Detects spike in group privilege change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_application_assignment_changes_ea | Detects spike in group application assignment change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_spike_in_group_lifecycle_changes_ea | Detects spike in group lifecycle change events by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_high_sum_concurrent_sessions_by_user_ea | Detects an unusual sum of active sessions started by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_source_ip_by_user_ea | Detects an unusual source IP address accessed by a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_region_name_by_user_ea | Detects an unusual region name for a user. | Okta Integration | `data_stream.dataset: okta.system` | +| pad_okta_rare_host_name_by_user_ea | Detects an unusual host name for a user. | Okta Integration | `data_stream.dataset: okta.system` | ## Customize ML jobs for Privileged Access Detection diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index 9d613216fb9..aa86b762255 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -130,14 +130,14 @@ You can also enable detection rules to alert on LotL activity in your environmen Detects potential LotL activity by identifying malicious processes. -| Job | Description | -|---|---| -| problem_child_rare_process_by_host_ea | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | -| problem_child_high_sum_by_host_ea | Looks for a set of one or more malicious child processes on a single host. | -| problem_child_rare_process_by_user_ea | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | -| problem_child_rare_process_by_parent_ea | Looks for rare malicious child processes spawned by a parent process. | -| problem_child_high_sum_by_user_ea | Looks for a set of one or more malicious processes, started by the same user. | -| problem_child_high_sum_by_parent_ea | Looks for a set of one or more malicious child processes spawned by the same parent process. | +| Job | Description | Supported Platform | Event Category | +|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|----------------| +| problem_child_rare_process_by_host_ea | Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. | Windows | process | +| problem_child_high_sum_by_host_ea | Looks for a set of one or more malicious child processes on a single host. | Windows | process | +| problem_child_rare_process_by_user_ea | Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. | Windows | process | +| problem_child_rare_process_by_parent_ea | Looks for rare malicious child processes spawned by a parent process. | Windows | process | +| problem_child_high_sum_by_user_ea | Looks for a set of one or more malicious processes, started by the same user. | Windows | process | +| problem_child_high_sum_by_parent_ea | Looks for a set of one or more malicious child processes spawned by the same parent process. | Windows | process | ## Customize ML jobs for Living off the Land Attack Detection From 559e4bbc25f5a676611627d57773ada947dc5e9d Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Tue, 7 Apr 2026 10:15:58 -0500 Subject: [PATCH 36/44] bump manifest version/add to changelog for Beaconing --- packages/beaconing/changelog.yml | 5 +++++ packages/beaconing/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/beaconing/changelog.yml b/packages/beaconing/changelog.yml index 2264a7d1711..b8b89aa2a63 100644 --- a/packages/beaconing/changelog.yml +++ b/packages/beaconing/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.5.4" + changes: + - description: Readme improvement + type: enhancement + link: https://github.com/elastic/integrations/pull/17626 - version: "1.5.3" changes: - description: Update documentation for blogs diff --git a/packages/beaconing/manifest.yml b/packages/beaconing/manifest.yml index 6666e4bff5b..cc792732bc6 100644 --- a/packages/beaconing/manifest.yml +++ b/packages/beaconing/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: beaconing title: "Network Beaconing Identification" -version: 1.5.3 +version: 1.5.4 source: license: "Elastic-2.0" description: "Package to identify beaconing activity in your network events." From c17b80359402a335d492c25b02473cfe9ed83506 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 10 Apr 2026 09:33:03 -0500 Subject: [PATCH 37/44] bump beaconing transform version to 1.5.4 to match manifest --- .../elasticsearch/transform/pivot_transform/transform.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml index 8e45bffa588..c381ef0f566 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml @@ -1,6 +1,6 @@ dest: - index: ml_beaconing-1.5.3 - pipeline: 1.5.3-ml_beaconing_ingest_pipeline + index: ml_beaconing-1.5.4 + pipeline: 1.5.4-ml_beaconing_ingest_pipeline aliases: - alias: ml_beaconing.latest move_on_creation: true @@ -394,5 +394,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 1.5.3 + fleet_transform_version: 1.5.4 run_as_kibana_system: false From a811a3148d2b7a6ff3eb95fa10b3bc35ff71831f Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:40:51 -0500 Subject: [PATCH 38/44] pin minimum Kibana version to 9.4.0, update documentation --- packages/ded/docs/README.md | 20 ++++++++++++---- packages/ded/manifest.yml | 2 +- packages/dga/docs/README.md | 12 ++++++---- packages/dga/manifest.yml | 2 +- packages/hta/docs/README.md | 14 +++++++---- packages/lmd/docs/README.md | 24 +++++++++++++++---- packages/lmd/manifest.yml | 2 +- packages/pad/docs/README.md | 35 ++++++++++++++++++++++++---- packages/pad/manifest.yml | 2 +- packages/problemchild/docs/README.md | 17 ++++++++++---- packages/problemchild/manifest.yml | 2 +- 11 files changed, 103 insertions(+), 29 deletions(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index b1b1d1e3460..59ce4e4bba7 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -101,12 +101,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. -- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. @@ -122,6 +121,19 @@ The new Entity Analytics ML job IDs are: The new Entity Analytics transforms are: - `ded.pivot_transform_ea` → destination index: `ml_network_ded_ea-3.0.0`, alias: `ml_network_ded_ea.latest`, `ml_network_ded_ea.all` +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `ded_high_sent_bytes_destination_geo_country_iso_code` + - `ded_high_sent_bytes_destination_ip` + - `ded_high_sent_bytes_destination_port` + - `ded_high_sent_bytes_destination_region_name` + - `ded_high_bytes_written_to_external_device` + - `ded_rare_process_writing_to_external_device` + - `ded_high_bytes_written_to_external_device_airdrop` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `ded.pivot_transform` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Data Exfiltration Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/ded/manifest.yml b/packages/ded/manifest.yml index 03176f9709f..eb740a5c3ff 100644 --- a/packages/ded/manifest.yml +++ b/packages/ded/manifest.yml @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.10.1 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index 0f66f86693a..8307ac8ece1 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -109,16 +109,20 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New detection rules are also included. - Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. -- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. The new Entity Analytics ML job IDs are: - `dga_high_sum_probability_ea` +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `dga_high_sum_probability` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to DGA Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/dga/manifest.yml b/packages/dga/manifest.yml index 91d7bb95b70..2825f46caff 100644 --- a/packages/dga/manifest.yml +++ b/packages/dga/manifest.yml @@ -12,7 +12,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum screenshots: diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 3412cc32749..0c6caaae8e8 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -18,13 +18,19 @@ The Host Traffic Anomalies package includes a dashboard that offers a high-level ## v2.0.0 and beyond -v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v2.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. These jobs are available through the `Security: Host` module in Kibana. To install them, go to **Machine Learning** -> **Anomaly Detection** -> **Jobs** -> **Create anomaly detection job** -> select your data view -> select **Security: Host** -> **Create jobs**. - Previously installed `Security: Host` ML jobs will continue to run, allowing time to transition to the new Entity Analytics jobs. -- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. - A new dashboard is available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs from before this version, the original dashboard without the suffix remains available. The new Entity Analytics ML job IDs for this dashboard are: - `high_count_events_for_a_host_name_ea` -- `low_count_events_for_a_host_name_ea` \ No newline at end of file +- `low_count_events_for_a_host_name_ea` + +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `high_count_events_for_a_host_name` + - `low_count_events_for_a_host_name` \ No newline at end of file diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index bb307e4b1ba..7bb30b9e0a1 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -179,12 +179,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. -- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. @@ -204,6 +203,23 @@ The new Entity Analytics ML job IDs are: The new Entity Analytics transforms are: - `lmd.pivot_transform_ea` → destination index: `ml-rdp-lmd_ea` +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `lmd_high_count_remote_file_transfer` + - `lmd_high_file_size_remote_file_transfer` + - `lmd_rare_file_extension_remote_transfer` + - `lmd_rare_file_path_remote_transfer` + - `lmd_high_mean_rdp_session_duration` + - `lmd_high_var_rdp_session_duration` + - `lmd_high_sum_rdp_number_of_processes` + - `lmd_unusual_time_weekday_rdp_session_start` + - `lmd_high_rdp_distinct_count_source_ip_for_destination` + - `lmd_high_rdp_distinct_count_destination_ip_for_source` + - `lmd_high_mean_rdp_process_args` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `lmd.pivot_transform` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to Lateral Movement Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/lmd/manifest.yml b/packages/lmd/manifest.yml index 3884ecf6b27..4a4eab02480 100644 --- a/packages/lmd/manifest.yml +++ b/packages/lmd/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index 1197a8e3701..b70bd906352 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -155,12 +155,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v2.0.0 and beyond -v2.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v2.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New transforms and detection rules are also included. - Previously installed ML jobs, transforms, and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies. -- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. +- **Important**: We recommend installing the new ML jobs and transforms and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. - The new Entity Analytics transforms write to separate destination indices postfixed with `_ea`. Create a new data view for the Entity Analytics anomaly detection jobs using the new destination indices/aliases listed below. Do not mix old and new transform destination indices in the same data view. - New dashboards are available in this version with the suffix "(Entity Analytics)" in the title. If you are still running jobs or transforms from before this version, the original dashboards without the suffix remain available. @@ -191,6 +190,34 @@ The new Entity Analytics transforms are: - `pad.pivot_transform_okta_sessions_ea` → destination index: `ml_okta_multiple_user_sessions_pad_ea-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_ea.latest`, `ml_okta_multiple_user_sessions_pad_ea.all` - `pad.pivot_transform_win_privilege_list_ea` → destination index: `ml_windows_privilege_type_pad_ea-2.0.0`, alias: `ml_windows_privilege_type_pad_ea.latest`, `ml_windows_privilege_type_pad_ea.all` +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `pad_windows_high_count_special_logon_events` + - `pad_windows_high_count_special_privilege_use_events` + - `pad_windows_high_count_group_management_events` + - `pad_windows_high_count_user_account_management_events` + - `pad_windows_rare_privilege_assigned_to_user` + - `pad_windows_rare_group_name_by_user` + - `pad_windows_rare_device_by_user` + - `pad_windows_rare_source_ip_by_user` + - `pad_windows_rare_region_name_by_user` + - `pad_linux_high_count_privileged_process_events_by_user` + - `pad_linux_rare_process_executed_by_user` + - `pad_linux_high_median_process_command_line_entropy_by_user` + - `pad_okta_spike_in_group_membership_changes` + - `pad_okta_spike_in_user_lifecycle_management_changes` + - `pad_okta_spike_in_group_privilege_changes` + - `pad_okta_spike_in_group_application_assignment_changes` + - `pad_okta_spike_in_group_lifecycle_changes` + - `pad_okta_high_sum_concurrent_sessions_by_user` + - `pad_okta_rare_source_ip_by_user` + - `pad_okta_rare_region_name_by_user` + - `pad_okta_rare_host_name_by_user` +- Delete old transforms: Navigate to **Stack Management -> Data -> Transforms** and delete: + - `pad.pivot_transform_okta_multiple_sessions` + - `pad.pivot_transform_windows_privilege_list` + ## Licensing Usage in production requires that you have a license key that permits use of machine learning features. \ No newline at end of file diff --git a/packages/pad/manifest.yml b/packages/pad/manifest.yml index 4ac6c16c40b..156ff2404bf 100644 --- a/packages/pad/manifest.yml +++ b/packages/pad/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index aa86b762255..4f7cec96914 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -158,12 +158,11 @@ To customize the datafeed query and other settings such as model memory limit, f ## v3.0.0 and beyond -v3.0.0 of the package introduces support for Entity Analytics (EA) in Elastic Stack version 9.4, adding new fields for proper entity resolution. +v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution. -- The new ML jobs include an `_ea` suffix in their names, as outlined below. New detection rules are also included. +- This package installs new ML jobs which include `_ea` suffix in their names, as outlined below. New detection rules are also included. - Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets. -- We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies. -- **Important**: New matching `_ea` detection rules for all supported stack versions will be available only after stack version 9.4 is publicly released. Continue to run your existing ML jobs and rules, without the `_ea` suffix, until then. +- **Important**: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies **before** deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the `_ea` suffix and are not compatible with older versions of the jobs. The new Entity Analytics ML job IDs are: - `problem_child_rare_process_by_host_ea` @@ -173,6 +172,16 @@ The new Entity Analytics ML job IDs are: - `problem_child_high_sum_by_user_ea` - `problem_child_high_sum_by_parent_ea` +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: + +- Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: + - `problem_child_rare_process_by_host` + - `problem_child_high_sum_by_host` + - `problem_child_rare_process_by_user` + - `problem_child_rare_process_by_parent` + - `problem_child_high_sum_by_user` + - `problem_child_high_sum_by_parent` + ## v2.0.0 and beyond v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to LotL Detection, we recommend upgrading to v2.0.0 after doing the following: diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index 9b0b3785c0c..28e9995a702 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -11,7 +11,7 @@ categories: - advanced_analytics_ueba conditions: kibana: - version: "^8.9.0 || ^9.0.0" + version: "^9.4.0" elastic: subscription: platinum capabilities: From 6c5fb95a2016e16fb48dad460d83abeade242600 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:50:18 -0500 Subject: [PATCH 39/44] Update packages/lmd/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/lmd/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/lmd/docs/README.md b/packages/lmd/docs/README.md index 7bb30b9e0a1..08842daa4a3 100644 --- a/packages/lmd/docs/README.md +++ b/packages/lmd/docs/README.md @@ -203,7 +203,7 @@ The new Entity Analytics ML job IDs are: The new Entity Analytics transforms are: - `lmd.pivot_transform_ea` → destination index: `ml-rdp-lmd_ea` -After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack v9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `lmd_high_count_remote_file_transfer` From da9adeac1728e74fb2f960c9299be60a314c96ac Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:50:32 -0500 Subject: [PATCH 40/44] Update packages/ded/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/ded/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ded/docs/README.md b/packages/ded/docs/README.md index 59ce4e4bba7..f3719259f72 100644 --- a/packages/ded/docs/README.md +++ b/packages/ded/docs/README.md @@ -121,7 +121,7 @@ The new Entity Analytics ML job IDs are: The new Entity Analytics transforms are: - `ded.pivot_transform_ea` → destination index: `ml_network_ded_ea-3.0.0`, alias: `ml_network_ded_ea.latest`, `ml_network_ded_ea.all` -After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `ded_high_sent_bytes_destination_geo_country_iso_code` From 4d14aadae3c9623424342fead88b66989d834789 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:50:51 -0500 Subject: [PATCH 41/44] Update packages/dga/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/dga/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/dga/docs/README.md b/packages/dga/docs/README.md index 8307ac8ece1..672a3e521ad 100644 --- a/packages/dga/docs/README.md +++ b/packages/dga/docs/README.md @@ -118,7 +118,7 @@ v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduce The new Entity Analytics ML job IDs are: - `dga_high_sum_probability_ea` -After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `dga_high_sum_probability` From 045ec632fd08ab3cc97205a560798374579223e3 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:51:03 -0500 Subject: [PATCH 42/44] Update packages/hta/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/hta/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/hta/docs/README.md b/packages/hta/docs/README.md index 0c6caaae8e8..a29c763338b 100644 --- a/packages/hta/docs/README.md +++ b/packages/hta/docs/README.md @@ -29,7 +29,7 @@ The new Entity Analytics ML job IDs for this dashboard are: - `high_count_events_for_a_host_name_ea` - `low_count_events_for_a_host_name_ea` -After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `high_count_events_for_a_host_name` From 476a751c4f7571b8c75901cb2d46102d8ff74da6 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:51:17 -0500 Subject: [PATCH 43/44] Update packages/problemchild/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/problemchild/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/docs/README.md b/packages/problemchild/docs/README.md index 4f7cec96914..9ca1920c936 100644 --- a/packages/problemchild/docs/README.md +++ b/packages/problemchild/docs/README.md @@ -172,7 +172,7 @@ The new Entity Analytics ML job IDs are: - `problem_child_high_sum_by_user_ea` - `problem_child_high_sum_by_parent_ea` -After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `problem_child_rare_process_by_host` From 3f5c9a89844762e9ff6a132294dd42085266bdd8 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 20 Apr 2026 08:51:30 -0500 Subject: [PATCH 44/44] Update packages/pad/docs/README.md Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> --- packages/pad/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/pad/docs/README.md b/packages/pad/docs/README.md index b70bd906352..94bf0b48565 100644 --- a/packages/pad/docs/README.md +++ b/packages/pad/docs/README.md @@ -190,7 +190,7 @@ The new Entity Analytics transforms are: - `pad.pivot_transform_okta_sessions_ea` → destination index: `ml_okta_multiple_user_sessions_pad_ea-2.0.0`, alias: `ml_okta_multiple_user_sessions_pad_ea.latest`, `ml_okta_multiple_user_sessions_pad_ea.all` - `pad.pivot_transform_win_privilege_list_ea` → destination index: `ml_windows_privilege_type_pad_ea-2.0.0`, alias: `ml_windows_privilege_type_pad_ea.latest`, `ml_windows_privilege_type_pad_ea.all` -After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions: +After confirming the new Entity Analytics ML jobs and transforms are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+): - Delete old ML jobs: Navigate to **Stack Management -> Anomaly Detection Jobs** and delete the following jobs: - `pad_windows_high_count_special_logon_events`